question about how cfservd handles admit and deny...

[Juha Ylitalo]

cfservd host: ship (RedHat 7.3)
cfagent host: laptop (RedHat 7.3) and boat (...)

I am trying to use cfservd <-> cfagent communications to transfer RADIUS
related files from primary server to backup server using cfengine 2.0.4
(yes, I know that cfengine 2.0.7 is out). I've done this by listing
/etc/shadow, /etc/raddb/*, ... files into cfservd.conf file in ship.
Problem in this setup is that even though I've specifically mentioned
that /etc/shadow, etc. files are only admit:ed to boat, laptop machine
is able to get /etc/shadow, etc. in addition to those files that its
permitted to copy from /var/cfengine/masterfiles/inputs. 
If I add "deny: /etc !boat" into cfservd.conf, noone (including boat) is
able to get those files.

Could someone point out, where I have mistake in my cfservd.conf or if
this is a bug in cfengine 2.0.4, is it fixed in newer versions?

CFSERVD.CONF
------------
[begin quote from cfservd.conf]
admit:   # or grant:
   /etc/shadow   boat.ntc.nokia.com
   /etc/gshadow  boat.ntc.nokia.com
   /etc/group    boat.ntc.nokia.com
   /etc/passwd   boat.ntc.nokia.com
   /etc/raddb/clients.conf  boat.ntc.nokia.com
   /etc/raddb/users         boat.ntc.nokia.com
   /etc/raddb/naslist       boat.ntc.nokia.com
   /var/cfengine/masterfiles/inputs *.ntc.nokia.com

deny:
  /etc !boat.ntc.nokia.com
[end of qoute from cfservd.conf]

HOW IT SHOWS IN LOG FILES
--------------------------
[begin quote from /var/log/messages]
May 20 15:07:05 ship cfservd[4124]: From
(host=boat.ntc.nokia.com,user=root,ip=172.21.200.22)
May 20 15:07:05 ship cfservd[4124]:  ID from connecting host: (SYNCH
1053432425 STAT /etc/raddb/users)
[end quote from /var/log/messages]

-- 
Juha Ylitalo       juha.o.ylitalo@nokia.com           <work e-mail>
+358 40 562 6152   http://linux.nokia.com/~jylitalo/  <work www>