cfrun, and access to cfrunCommand...

[Christian Pearce]

First off lesson learned.  And I hope this helps out others.  When I was trying 
to get the cfrun to work I was getting this from the cfservd in debug mode

Received: [EXEC  ] on socket 5
User root granted connection privileges
AccessControl()
cfservd: Couldn't stat filename  from host pearcec.commnav.com
 
cfservd: lstatcfservd: Host authorization/authentication failed or access 
deniedTransaction Send[t 114][Packed text]

I looked at the code and realize I had to set cfrunCommand.  I had 
cfRunCommand.  I don't think I need to go into detail over the merits of having 
access to the code at this time.  But let's just say it would have been hard to 
track this down otherwise.  Thanks Mark!

Then I was getting another error.

AccessControl(/var/cfengine/bin/cfagent)
AccessControl(/var/cfengine/bin/cfagent,pearcec.commnav.com) encrypt request=0
Found a matching rule in access list 
(/var/cfengine/bin/cfagent,/var/cfengine/bin/cfagent)
cfservd: File /var/cfengine/bin/cfagent requires encrypt connection...will not 
serve
cfservd: Host pearcec.commnav.com denied access to /var/cfengine/bin/cfagent
cfservd: Host authorization/authentication failed or access denied

Notice this time I have AccessControl fleshed out in the debug report.  But I 
was still not given access.

I traced through more code and found this.

      if (!encrypt && (ap->encrypt == true))
         {
         snprintf(conn->output,bufsize,"File %s requires encrypt 
connection...will not serve\n",ap->path);
         CfLog(cferror,conn->output,"");
         access = false;
         }

The error implies that you need to set encrypt to have access to this file.  Or 
allow cfservd to continue with the process it is trying to accomplish, in this 
case execute cfagent via cfrun.

/var/cfengine/bin/cfagent      [ips]
        encrypt=true

But I did have encrypt set to true.  So I looked at how AccessControl was being 
called and I came up with this:

if(!AccessControl(CFRUNCOMMAND,conn,false))

Notice the third parameter is false.  Implying it checking that it isn't 
encrypted.  (I guess)  When I took out the encrypt statement it works like a 
freaking champ.

But leads me to believe something isn't right.

Is the error message backwords?  Was the cfrunCommand intended to have access 
to in in an unencrypted manor?  Is so why?  It seems to me I would want to 
encrypt.  Or maybe since I am not copying it doesn't matter.

Maybe the code should look like this

    if (encrypt && (ap->encrypt == false))

Translation.  We are looking for this file to be encrypted and the access 
control structure (ap) tells us it isn't.

- or -

The error messages should be reversed.  Having said all that I didn't dive to 
deep into the surrounding structure of the Access crontrol checks.  So I am not 
certain reversing the if statement logic would work.  But certainly the error 
message isn't correct.  Another thing I just though of is, who cares if it is 
encrypted.  To me it shouldn't care if it is.  It should only care if it wasn't 
which is what I think this piece of code intends to do.  Maybe someone just 
reversed it accidently while coding.

Could someone explain this to me?  Am I just being a chump?

Thanks.

--
Christian Pearce
http://www.commnav.com