[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cfexecd and chmod($input_dir)
|
From: |
Mark . Burgess |
|
Subject: |
Re: cfexecd and chmod($input_dir) |
|
Date: |
Tue, 8 Jun 2004 22:57:31 +0200 (MEST) |
As skaar pointed out, you shouldn't be editing the files in
the trusted directory directly anyway. They are intended
as a copy of a different location. Just implement your
desired policy outside of cfengine's domain. The point of
the restrictions is to make cfengine easier to install.
M
On 8 Jun, Will Lowe wrote:
> It's not a huge issue in my environment -- I just have some error
> reporting that parses the outputs/ logs and kept telling me that
> directories were changing permissions.
>
> But it does seem like 0700 is a very restricted definition of
> "trusted", and it doesn't let the local admin define and enforce local
> policies, which is what cfengine is all about.
>
> On Tue, Jun 08, 2004 at 11:47:38AM -0500, Chip Seraphine wrote:
>> I have the same problem. I wanted mine to be 1770 in order to allow
>> sysadmins
>> to set flag files as themselves instead of root (so we could better account
>> for who did what), but all it did was fight with the hard coded chmod...
>>
>> On Saturday 05 June 2004 03:12, Mark.Burgess@iu.hio.no wrote:
>> >
>> > The directory must be trusted. Why do you care?
>> >
>> > M
>> >
>> > On 4 Jun, Will Lowe wrote:
>> > > I'm running v 2.1.0p1.
>> > >
>> > > Why does cfexecd insist on doing chmod($input_dir) whenever it runs?
>> > > There's nothing secret in my cfagent configs, so I had update.conf set
>> > > to set the input dir to 0755.
>> > >
>> > > Looks like the code is at line 218 in cfexecd.c:
>> > >
>> > > snprintf(VBUFF,bufsize,"%s/inputs",WORKDIR);
>> > > chmod(VBUFF,0700);
>> > > snprintf(VBUFF,bufsize,"%s/outputs",WORKDIR);
>> > > chmod(VBUFF,0700);
>> > >
>> >
>> >
>> >
>> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> > Work: +47 22453272 Email: Mark.Burgess@iu.hio.no
>> > Fax : +47 22453205 WWW : http://www.iu.hio.no/~mark
>> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> >
>> >
>> >
>> > _______________________________________________
>> > Help-cfengine mailing list
>> > Help-cfengine@gnu.org
>> > http://lists.gnu.org/mailman/listinfo/help-cfengine
>> >
>>
>> --
>>
>> Chip Seraphine
>> Unix Administrator
>> TradeLink, LLC
>> 312-264-2048
>> chip@trdlnk.com
>>
>>
>>
>> _______________________________________________
>> Help-cfengine mailing list
>> Help-cfengine@gnu.org
>> http://lists.gnu.org/mailman/listinfo/help-cfengine
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272 Email: Mark.Burgess@iu.hio.no
Fax : +47 22453205 WWW : http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- cfexecd and chmod($input_dir), Will Lowe, 2004/06/04
- Re: cfexecd and chmod($input_dir), Mark . Burgess, 2004/06/05
- Re: cfexecd and chmod($input_dir), Darrell Fuhriman, 2004/06/05
- Re: cfexecd and chmod($input_dir), Chip Seraphine, 2004/06/08
- Re: cfexecd and chmod($input_dir), Will Lowe, 2004/06/08
- Re: cfexecd and chmod($input_dir),
Mark . Burgess <=
- Re: cfexecd and chmod($input_dir), Luke A. Kanies, 2004/06/08
- Re: cfexecd and chmod($input_dir), Mark . Burgess, 2004/06/09
- Re: cfexecd and chmod($input_dir), Chip Seraphine, 2004/06/09
- Re: cfexecd and chmod($input_dir), Brendan Strejcek, 2004/06/09