Re: Cfservd wants physical paths

help-cfengine

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cfservd wants physical paths

From:	Mark . Burgess
Subject:	Re: Cfservd wants physical paths
Date:	Sat, 15 Nov 2003 00:30:58 +0100 (MET)

No! Don't do that! Cfengine wants physical paths to make you face
up to security issues. It is bad practice to refer to a link.
There are all kinds of ways of tricking systems into doing bad
things with symbolic links.

This is a case where cfengine is being difficult in your best
interests.

M

On 14 Nov, Robert Cantu wrote:
> I'm having trouble with cfservd allowing a host to copy a file from the 
> server where the file resides in a directory that has at least one 
> symlink in it's path.
> 
> Example:
> 
> cfservd.conf
> ...
> grant:
>      /var/cfengine/inputs     <ip list>
>        encrypt=true
> 
> /var/cfengine/inputs is a symlink to somewhere else, let's say, 
> /usr/local/foo, which is also a symlink for /usr/local/bar. cfagent 
> running on the client machine connects and gets all the trusted keys 
> right, but it still says "Host authentication failed. Did you forget 
> the domain name?" when it hits the copy in update.conf. Back on the 
> server machine, with the Syslog = ( on ), cfservd logs the following 
> for the relevant request for copying cfagent.conf:
> 
> Nov 14 16:05:14 server cfservd[22716]: From (host=client.bar.com 
> user=root,ip=192.168.20.40)
> Nov 14 16:05:14 server cfservd[22716]:  ID from connecting host: (SYNCH 
> 1068804314 STAT /var/cfengine/inputs/cfservd.conf)
> Nov 14 16:05:14 server cfservd[22716]:  Host client.bar.com denied 
> access to /usr/local/bar/cfagent.conf
> Nov 14 16:05:14 server cfservd[22716]: Host 
> authorization/authentication failed or access denied
> 
> It seems that cfservd wants the absolute physical path (much like pwd 
> -P in bash). When I use the physical path in the grant section instead 
> of /var/cfengine/inputs, the cfagent doesn't even get access to try to 
> copy since it's requesting /var/cfengine/inputs/cfagent.conf, but it's 
> not in the grant: section. The only way I've gotten this to work is to 
> have grant: for both /var/cfengine/inputs and /usr/local/bar.
> 
> Is there any way to have cfservd not care about symlinks in the 
> admit|grant sections? Please CC my email so that I can view replys, 
> thanks.
> 
> Robert Cantu
> robert@artistictech.net
> 
> 
> 
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@gnu.org
> http://mail.gnu.org/mailman/listinfo/help-cfengine



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272            Email:  Mark.Burgess@iu.hio.no
Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[Prev in Thread]

Current Thread

[Next in Thread]

Cfservd wants physical paths, Robert Cantu, 2003/11/14
- Re: Cfservd wants physical paths, Mark . Burgess <=
  - Re: Cfservd wants physical paths, Chip Seraphine, 2003/11/15

Prev by Date: Cfservd wants physical paths
Next by Date: Re: pb with rotate in cf.site
Previous by thread: Cfservd wants physical paths
Next by thread: Re: Cfservd wants physical paths
Index(es):
- Date
- Thread