[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cfservd wants physical paths

From: Mark . Burgess
Subject: Re: Cfservd wants physical paths
Date: Sat, 15 Nov 2003 00:30:58 +0100 (MET)

No! Don't do that! Cfengine wants physical paths to make you face
up to security issues. It is bad practice to refer to a link.
There are all kinds of ways of tricking systems into doing bad
things with symbolic links.

This is a case where cfengine is being difficult in your best


On 14 Nov, Robert Cantu wrote:
> I'm having trouble with cfservd allowing a host to copy a file from the 
> server where the file resides in a directory that has at least one 
> symlink in it's path.
> Example:
> cfservd.conf
> ...
> grant:
>      /var/cfengine/inputs     <ip list>
>        encrypt=true
> /var/cfengine/inputs is a symlink to somewhere else, let's say, 
> /usr/local/foo, which is also a symlink for /usr/local/bar. cfagent 
> running on the client machine connects and gets all the trusted keys 
> right, but it still says "Host authentication failed. Did you forget 
> the domain name?" when it hits the copy in update.conf. Back on the 
> server machine, with the Syslog = ( on ), cfservd logs the following 
> for the relevant request for copying cfagent.conf:
> Nov 14 16:05:14 server cfservd[22716]: From ( 
> user=root,ip=
> Nov 14 16:05:14 server cfservd[22716]:  ID from connecting host: (SYNCH 
> 1068804314 STAT /var/cfengine/inputs/cfservd.conf)
> Nov 14 16:05:14 server cfservd[22716]:  Host denied 
> access to /usr/local/bar/cfagent.conf
> Nov 14 16:05:14 server cfservd[22716]: Host 
> authorization/authentication failed or access denied
> It seems that cfservd wants the absolute physical path (much like pwd 
> -P in bash). When I use the physical path in the grant section instead 
> of /var/cfengine/inputs, the cfagent doesn't even get access to try to 
> copy since it's requesting /var/cfengine/inputs/cfagent.conf, but it's 
> not in the grant: section. The only way I've gotten this to work is to 
> have grant: for both /var/cfengine/inputs and /usr/local/bar.
> Is there any way to have cfservd not care about symlinks in the 
> admit|grant sections? Please CC my email so that I can view replys, 
> thanks.
> Robert Cantu
> address@hidden
> _______________________________________________
> Help-cfengine mailing list
> address@hidden

Work: +47 22453272            Email:  address@hidden
Fax : +47 22453205            WWW  :

reply via email to

[Prev in Thread] Current Thread [Next in Thread]