help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

cfservd 2.0.4 and admit...


From: Juha Ylitalo
Subject: cfservd 2.0.4 and admit...
Date: 17 Jan 2003 10:05:08 +0200

I just found out that I have some serious problem in my cfservd.conf,
because my passwd, shadow, ... replication with cfengine seems to allow
anyone to copy central passwd, group, ... which should not be the case.
This is probably user error in a sense that I've manage to mess
something up in my config files and as such, any help on getting access
tightened up would be appreciated.

cfservd 2.0.4 running on RedHat Linux 7.3
cfagent 2.0.4 running on RedHat Linux 7.3/8.0
boat is 172.21.200.22
other hosts that were able to copy stuff (even though they are NOT
supposed to be able to do it) were 172.21.200.53-55 and 172.21.200.245.

cfserv.conf has following kind of settings:
[begin quote]
control:

  domain = ( ntc.nokia.com )
  AllowConnectionsFrom = ( 172.21.200.2-254 )
  DynamicAddresses = ( 172.21.200.128-254 )
  TrustKeysFrom = ( 172.21.200.2-254 )
[...]

admit:   # or grant:
   /etc/shadow                          boat.ntc.nokia.com
   /etc/gshadow                         boat.ntc.nokia.com
   /etc/group                           boat.ntc.nokia.com
   /etc/passwd                          boat.ntc.nokia.com
   /etc/raddb/clients.conf              boat.ntc.nokia.com
   /etc/raddb/users                     boat.ntc.nokia.com
   /etc/raddb/naslist                   boat.ntc.nokia.com

   /var/cfengine/masterfiles/inputs     *.ntc.nokia.com
[end of qoute]

-- 
Juha Ylitalo       address@hidden           <work e-mail>
+358 40 562 6152   http://linux.nokia.com/~jylitalo/  <work www>
"Some tools are used, because its policy, others because they are good."




reply via email to

[Prev in Thread] Current Thread [Next in Thread]