Re: problems copying symlinks

[Bill Gunter]

Hmmm. I understand that you have to use the actual directory and not a
symlink in the "admit" directive of cfservd.conf, but that's not the
problem here. To work around the problem I changed the copy directive,
not the admit directive. Are you saying that you can't copy symlinks
from a symlinked directory?

On Thu, 2005-12-29 at 16:03 -0600, Mark Burgess wrote:
> 
> That is a documented security feature, not a bug. 
> M
> 
> On Thu, 2005-12-29 at 14:06 -0600, Bill Gunter wrote: 
> > Okay, found the problem with the symlinks. Apparently the access
> control 
> > is getting confused. I've allowed access with  
> >  
> > admit: 
> >   cfengine_server:: 
> >     /directory        *.domain.com 
> >  
> > But the copy directive says 
> >  
> > class:: 
> >   /symlink_to_directory 
> >  
> > This works with regular files contained in /directory but not with 
> > symlinks to files in the same directory. I changed the copy
> directive to 
> > use the actual directory and not the symlink to it and it works
> fine. 
> > This seems like a bug to me. 
> >  
> >  
> > On Thu, 2005-12-29 at 13:03 -0600, Mark Burgess wrote: 
> > >  
> > > Look at the output of cfservd -d2 to see why this is happening.
> If 
> > > you  
> > > are traversing links, that is not honoured by access control.
> This 
> > > has  
> > > always been true  
> > > M 
> > >  
> > > On Thu, 2005-12-29 at 12:46 -0600, Bill Gunter wrote:  
> > > > v2.1.18 of cfservd (still v2.1.15 of cfagent) gives slightly 
> > > different  
> > > > errors, but the same results. It says "Unspecified refusal by 
> > > server"  
> > > > instead of "Host authorization/authentication failed or access 
> > > denied"  
> > > >   
> > > > On Thu, 2005-12-29 at 12:21 -0600, Mark Burgess wrote:  
> > > > >   
> > > > > What does 2.1.18 do?  
> > > > >   
> > > > > On Thu, 2005-12-29 at 11:43 -0600, Bill Gunter wrote:   
> > > > > > I've configured a copy directive and the symlinks that exist
> in 
> > > the   
> > > > > > directory being copied are not being copied, but all the 
> > > regular  
> > > > > files   
> > > > > > in the directory are being copied.    
> > > > > >    
> > > > > > cfservd is throwing this error for each symlink:   
> > > > > >    
> > > > > > Dec 29 11:34:58 HOST cfservd[12692]: [ID 823470
> daemon.error] 
> > > Host   
> > > > > > REMOTE denied access to /directory/symlink   
> > > > > > Dec 29 11:34:58 HOST cfservd[12692]: [ID 702911
> daemon.notice] 
> > > Host   
> > > > > > authorization/authentication failed or access denied   
> > > > > > Dec 29 11:34:58 HOST cfservd[12692]: [ID 702911
> daemon.notice] 
> > > From   
> > > > > > (host=REMOTE,user=root,ip=::ffff:111.111.111.111)   
> > > > > > Dec 29 11:34:58 HOST cfservd[12692]: [ID 823470
> daemon.error] 
> > > ID  
> > > > > from   
> > > > > > connecting host: (SYNCH 1135877698
> STAT /directory/symlink)   
> > > > > >    
> > > > > > Here's the directive.   
> > > > > >    
> > > > > > class::   
> > > > > >   /directory   
> > > > > >     server=$(server)   
> > > > > >     dest=/remote_directory   
> > > > > >     owner=root   
> > > > > >     backup=false   
> > > > > >     recurse=inf   
> > > > > >     timestamps=keep   
> > > > > >    
> > > > > > I'm using v.2.1.15.   
> > > > > >   
> > > > >   
> > > > >  
> > >  
> > > 
> 
> 
-- 
Bill Gunter 
Assistant Director of Information Systems 
  
ARC Systems 
P: 512.358.5377 
F: 512.892.5552 
<www.arcsystems.com>