[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Cfservd wants physical paths
From: |
Mark . Burgess |
Subject: |
Re: Cfservd wants physical paths |
Date: |
Sat, 15 Nov 2003 00:30:58 +0100 (MET) |
No! Don't do that! Cfengine wants physical paths to make you face
up to security issues. It is bad practice to refer to a link.
There are all kinds of ways of tricking systems into doing bad
things with symbolic links.
This is a case where cfengine is being difficult in your best
interests.
M
On 14 Nov, Robert Cantu wrote:
> I'm having trouble with cfservd allowing a host to copy a file from the
> server where the file resides in a directory that has at least one
> symlink in it's path.
>
> Example:
>
> cfservd.conf
> ...
> grant:
> /var/cfengine/inputs <ip list>
> encrypt=true
>
> /var/cfengine/inputs is a symlink to somewhere else, let's say,
> /usr/local/foo, which is also a symlink for /usr/local/bar. cfagent
> running on the client machine connects and gets all the trusted keys
> right, but it still says "Host authentication failed. Did you forget
> the domain name?" when it hits the copy in update.conf. Back on the
> server machine, with the Syslog = ( on ), cfservd logs the following
> for the relevant request for copying cfagent.conf:
>
> Nov 14 16:05:14 server cfservd[22716]: From (host=client.bar.com
> user=root,ip=192.168.20.40)
> Nov 14 16:05:14 server cfservd[22716]: ID from connecting host: (SYNCH
> 1068804314 STAT /var/cfengine/inputs/cfservd.conf)
> Nov 14 16:05:14 server cfservd[22716]: Host client.bar.com denied
> access to /usr/local/bar/cfagent.conf
> Nov 14 16:05:14 server cfservd[22716]: Host
> authorization/authentication failed or access denied
>
> It seems that cfservd wants the absolute physical path (much like pwd
> -P in bash). When I use the physical path in the grant section instead
> of /var/cfengine/inputs, the cfagent doesn't even get access to try to
> copy since it's requesting /var/cfengine/inputs/cfagent.conf, but it's
> not in the grant: section. The only way I've gotten this to work is to
> have grant: for both /var/cfengine/inputs and /usr/local/bar.
>
> Is there any way to have cfservd not care about symlinks in the
> admit|grant sections? Please CC my email so that I can view replys,
> thanks.
>
> Robert Cantu
> robert@artistictech.net
>
>
>
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@gnu.org
> http://mail.gnu.org/mailman/listinfo/help-cfengine
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272 Email: Mark.Burgess@iu.hio.no
Fax : +47 22453205 WWW : http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~