help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cfrun remote script. -f is stripped


From: Mark Burgess
Subject: Re: cfrun remote script. -f is stripped
Date: Mon, 3 Nov 2003 10:29:59 +0100 (MET)

On 29 Oct, Yaroslav Halchenko wrote:
> Dear Guru,
> 
> I've got the same problem as the guy before but who never got a reply
> so I couldn't find answer to my question and decided to bother you
> 
> http://mail.gnu.org/archive/html/help-cfengine/2003-08/msg00006.html
> 
> The same I have here: I've created a cfengine script which supposed to
> run install_packages from FAI any time I add another new package to
> the list of packages in FAI configuration to be installed on all
> machines. So I don't really want it to be a part of default
> cfagent.conf but rather want to run it whenever I want. So I create
> some script cfapt.conf which I can run locally as
> cfagent -f cfapt.conf
> and it works.
> 
> But if I try to run it from main machine through cfrun I give command
> like cfrun -- -f cfapt.conf
> then  output shows that either cfrun or cfservd strips out -f and just
> calls cfrun ... cfapt.conf  
> 
> Before I post any long -d2 or -d1 which didn't bring me newbie to the
> ground-truth I want to ask you - may be I'm doing something totally
> wrong and it shouldn't be done this way at all...
> 
> Thank you in advance for all hints
> 
>                                   .-.
> =------------------------------   /v\  ----------------------------=
> Keep in touch                    // \\     (yoh@|www.)onerussian.com
> Yaroslav Halchenko              /(   )\               ICQ#: 60653192
>                    Linux User    ^^-^^    [175555]
>              Key  http://www.onerussian.com/gpg-yoh.asc
> GPG fingerprint   3BB6 E124 0643 A615 6F00  6854 8D11 4563 75C0 24C8
> 
> 
> 
> _______________________________________________
> Help-cfengine mailing list
> address@hidden
> http://mail.gnu.org/mailman/listinfo/help-cfengine



Absolutely right you shouldn't be considering this at all!! :)
It would be a huge security hole if it were possible to say what
file were executed with root privileges by cfrun. -f is stripped
because it would be trivial for a local user to execute any
configuration they wished if they could control policy.

Mark


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272            Email:  address@hidden
Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~





reply via email to

[Prev in Thread] Current Thread [Next in Thread]