help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

more on implicit "policy"


From: skaar
Subject: more on implicit "policy"
Date: Tue, 8 Jun 2004 10:15:07 -0400
User-agent: Mutt/1.5.5.1i

> > If you want to enforce that sort of policy, it should be a
> > configuration option, not something hard-coded -- at the very
> > least the user should have the option of disabling it.
> 
> There are more of these in cfengine, such as file permissions during
> recursive copy and the default deletion of search lines with resolve.

This is a basic example of how cfengine makes implicit decisions. The
copy below will set default permissions (644) on files and files will
come around and change them back. This will happen every time cfengine
runs and there is no way to tell copy not to modify permissions and
ownership on files that are already there.

control:
    actionsequence = ( directories copy files )

copy:
    /etc/env.d
        dest=/tmp/cftests/skipmode r=inf 

files:
    /tmp/cftests/skipmode
        o=appuser mode=700 r=inf action=fixall 

directories:
    /tmp/cftests/skipmode mode=755

This is of course a result of cfengine trying to do the right thing,
that is, not copy a file into place with unsafe permissions. It is
"convergent" since in the end they will have the permissions from
files, but it leaves a window where applications depending on the 
permissions would fail. That window will only grow as your
configurations become more complex. It is of cource also an inefficient
way of doing it.

In the code this happens since every call to CheckCopiedFile in image.c,
which is used by copy have fixall passed to it, which in turn calls
CheckExistingFile with fixall, the same function used by files to 
set permissions and ownership, although in that case the "action" is
configurable.

An option would be to add skipmod/skipown/skipboth to copy and files at
least in the case where files already exist and possibly have the right
permissions.

Another would be to allow for a more granular handling of permissions
and ownership in copy itself. A step in the right direction would be
to allow differn permission/ownership sets for directories and files.

-- 
/skaar

+-------------------------------------------------------------------+
+----- address@hidden                   kent skaar   ----------------+
+----- internet services: infrastructure security   ----------------+
+-------------------------------------------------------------------+




reply via email to

[Prev in Thread] Current Thread [Next in Thread]