Re: [No match of class]?

From: Luke A. Kanies
Subject: Re: [No match of class]?
Date: Wed, 25 Feb 2004 17:24:49 -0600 (CST)

On Wed, 25 Feb 2004, Lev Lvovsky wrote:

> On Feb 25, 2004, at 2:52 PM, Luke A. Kanies wrote:
> > I usually use a '*' mechanism, even though it also seems
> > marginally unclean.  I agree that it would be nice if cfservd could
> > somehow know which classes matched the incoming client, but that's not
> > really possible -- it would have no way of knowing, for instance,
> > whether
> > a client was an aix server or a sunos server.
> but isn't that what a group definition provides?

Yes, basically.  The problem is that the client runs and sets a bunch of
classes; some are classes you define, but others are classes automatically
discovered by cfengine (e.g., aix, powerpc).  There's no way for cfservd
to get those classes on its own, so it has to get them from the client.
But then you're talking about the server using information from the client
to determine if the client has access to something, which is an obvious
security hole.

If you didn't rely on automatic grouping, you could possibly do it, but
cfservd isn't set up to support client grouping, so the functionality
isn't there.

Westheimer's Discovery:
        A couple of months in the laboratory can frequently save a
        couple of hours in the library.

