help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cfservd wants physical paths


From: Mark . Burgess
Subject: Re: Cfservd wants physical paths
Date: Sat, 15 Nov 2003 00:30:58 +0100 (MET)

No! Don't do that! Cfengine wants physical paths to make you face
up to security issues. It is bad practice to refer to a link.
There are all kinds of ways of tricking systems into doing bad
things with symbolic links.

This is a case where cfengine is being difficult in your best
interests.

M

On 14 Nov, Robert Cantu wrote:
> I'm having trouble with cfservd allowing a host to copy a file from the 
> server where the file resides in a directory that has at least one 
> symlink in it's path.
> 
> Example:
> 
> cfservd.conf
> ...
> grant:
>      /var/cfengine/inputs     <ip list>
>        encrypt=true
> 
> /var/cfengine/inputs is a symlink to somewhere else, let's say, 
> /usr/local/foo, which is also a symlink for /usr/local/bar. cfagent 
> running on the client machine connects and gets all the trusted keys 
> right, but it still says "Host authentication failed. Did you forget 
> the domain name?" when it hits the copy in update.conf. Back on the 
> server machine, with the Syslog = ( on ), cfservd logs the following 
> for the relevant request for copying cfagent.conf:
> 
> Nov 14 16:05:14 server cfservd[22716]: From (host=client.bar.com 
> user=root,ip=192.168.20.40)
> Nov 14 16:05:14 server cfservd[22716]:  ID from connecting host: (SYNCH 
> 1068804314 STAT /var/cfengine/inputs/cfservd.conf)
> Nov 14 16:05:14 server cfservd[22716]:  Host client.bar.com denied 
> access to /usr/local/bar/cfagent.conf
> Nov 14 16:05:14 server cfservd[22716]: Host 
> authorization/authentication failed or access denied
> 
> It seems that cfservd wants the absolute physical path (much like pwd 
> -P in bash). When I use the physical path in the grant section instead 
> of /var/cfengine/inputs, the cfagent doesn't even get access to try to 
> copy since it's requesting /var/cfengine/inputs/cfagent.conf, but it's 
> not in the grant: section. The only way I've gotten this to work is to 
> have grant: for both /var/cfengine/inputs and /usr/local/bar.
> 
> Is there any way to have cfservd not care about symlinks in the 
> admit|grant sections? Please CC my email so that I can view replys, 
> thanks.
> 
> Robert Cantu
> address@hidden
> 
> 
> 
> _______________________________________________
> Help-cfengine mailing list
> address@hidden
> http://mail.gnu.org/mailman/listinfo/help-cfengine



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272            Email:  address@hidden
Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~





reply via email to

[Prev in Thread] Current Thread [Next in Thread]