[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
cfrun, and access to cfrunCommand...
From: |
Christian Pearce |
Subject: |
cfrun, and access to cfrunCommand... |
Date: |
Thu, 11 Dec 2003 19:11:05 GMT |
First off lesson learned. And I hope this helps out others. When I was trying
to get the cfrun to work I was getting this from the cfservd in debug mode
Received: [EXEC ] on socket 5
User root granted connection privileges
AccessControl()
cfservd: Couldn't stat filename from host pearcec.commnav.com
cfservd: lstatcfservd: Host authorization/authentication failed or access
deniedTransaction Send[t 114][Packed text]
I looked at the code and realize I had to set cfrunCommand. I had
cfRunCommand. I don't think I need to go into detail over the merits of having
access to the code at this time. But let's just say it would have been hard to
track this down otherwise. Thanks Mark!
Then I was getting another error.
AccessControl(/var/cfengine/bin/cfagent)
AccessControl(/var/cfengine/bin/cfagent,pearcec.commnav.com) encrypt request=0
Found a matching rule in access list
(/var/cfengine/bin/cfagent,/var/cfengine/bin/cfagent)
cfservd: File /var/cfengine/bin/cfagent requires encrypt connection...will not
serve
cfservd: Host pearcec.commnav.com denied access to /var/cfengine/bin/cfagent
cfservd: Host authorization/authentication failed or access denied
Notice this time I have AccessControl fleshed out in the debug report. But I
was still not given access.
I traced through more code and found this.
if (!encrypt && (ap->encrypt == true))
{
snprintf(conn->output,bufsize,"File %s requires encrypt
connection...will not serve\n",ap->path);
CfLog(cferror,conn->output,"");
access = false;
}
The error implies that you need to set encrypt to have access to this file. Or
allow cfservd to continue with the process it is trying to accomplish, in this
case execute cfagent via cfrun.
/var/cfengine/bin/cfagent [ips]
encrypt=true
But I did have encrypt set to true. So I looked at how AccessControl was being
called and I came up with this:
if(!AccessControl(CFRUNCOMMAND,conn,false))
Notice the third parameter is false. Implying it checking that it isn't
encrypted. (I guess) When I took out the encrypt statement it works like a
freaking champ.
But leads me to believe something isn't right.
Is the error message backwords? Was the cfrunCommand intended to have access
to in in an unencrypted manor? Is so why? It seems to me I would want to
encrypt. Or maybe since I am not copying it doesn't matter.
Maybe the code should look like this
if (encrypt && (ap->encrypt == false))
Translation. We are looking for this file to be encrypted and the access
control structure (ap) tells us it isn't.
- or -
The error messages should be reversed. Having said all that I didn't dive to
deep into the surrounding structure of the Access crontrol checks. So I am not
certain reversing the if statement logic would work. But certainly the error
message isn't correct. Another thing I just though of is, who cares if it is
encrypted. To me it shouldn't care if it is. It should only care if it wasn't
which is what I think this piece of code intends to do. Maybe someone just
reversed it accidently while coding.
Could someone explain this to me? Am I just being a chump?
Thanks.
--
Christian Pearce
http://www.commnav.com
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- cfrun, and access to cfrunCommand...,
Christian Pearce <=