help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cfexecd and chmod($input_dir)


From: Luke A. Kanies
Subject: Re: cfexecd and chmod($input_dir)
Date: Tue, 8 Jun 2004 18:12:02 -0500 (CDT)

On Tue, 8 Jun 2004 Mark.Burgess@iu.hio.no wrote:


As skaar pointed out, you shouldn't be editing the files in
the trusted directory directly anyway. They are intended
as a copy of a different location. Just implement your
desired policy outside of cfengine's domain. The point of
the restrictions is to make cfengine easier to install.

This little "feature" quite annoys me because it makes it far more difficult to look at my local configuration when I'm debugging things. I use sudo for everything, and I never ever open up a root shell. This means that root-owned directories that are 700 really mess me up, especially if it's the parent directory of a larger structure.

For instance, tab-completion (which I use almost every command in bash) doesn't work any more -- I have to write out the complete filename to view a file. This is immediately annoying, but gets more annoying as the paths get longer, e.g., /var/cfengine/inputs/packages/openssh.cf.

I generate quite a few files, and they all go in /var/cfengine/inputs. I never (well, not never, but not for a long time) edit those files, but I look at them constantly. Even for files that are copied from a remote system, I find it extremely useful to be able to easily look at them, even if just to verify that the latest file has been downloaded.

I have yet to work with an organization that _hasn't_ tried to get the inputs directory to be less restrictive than 700, and they've all had to give up. I agree with skaar and the others that this is a decision that should be completely left up to the admin, not the tool. I want to be able to define security on my network.

Luke

--
Once...in the wilds of Afghanistan, I lost my corkscrew, and we were
forced to live on nothing but food and water for days.  -- W. C. Fields
---------------------------------------------------------------------
Luke Kanies | http://abstractive.org | http://reductiveconsulting.com




reply via email to

[Prev in Thread] Current Thread [Next in Thread]