[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: problems copying symlinks
From: |
Bill Gunter |
Subject: |
Re: problems copying symlinks |
Date: |
Fri, 30 Dec 2005 09:46:22 -0600 |
I really think this is a bug. Here's the output from "cfservd -d2" for
two different files in the source tree. The first (check_dns) is a
regular file and the second (check_udp2) is a symlink to a regular file
in the same directory. On the source machine /u is a symlink to /devu.
Received: [SYNCH 1135957075 STAT
/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns] on socket 7
AccessControl(/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns)
AccessControl(/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,hognose.arcsystems.com)
encrypt request=1
Examining rule in access list
(/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/var/cfengine/ppkeys/localhost.pub)?
Examining rule in access list
(/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/u1/cfengine)?
Examining rule in access list
(/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/cfengine)?
Examining rule in access list
(/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/etc/init.d)?
Examining rule in access list
(/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/opt)?
Examining rule in access list
(/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/usr/local)?
Examining rule in access list
(/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/etc)?
Examining rule in access list
(/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/devu/deploy)?
Found a matching rule in access list
(/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/devu/deploy)
Received: [SYNCH 1135957075 STAT
/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2] on socket 7
AccessControl(/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2)
AccessControl(/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,hognose.arcsystems.com)
encrypt request=1
Examining rule in access list
(/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/var/cfengine/ppkeys/localhost.pub)?
Examining rule in access list
(/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/u1/cfengine)?
Examining rule in access list
(/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/cfengine)?
Examining rule in access list
(/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/etc/init.d)?
Examining rule in access list
(/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/opt)?
Examining rule in access list
(/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/usr/local)?
Examining rule in access list
(/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/etc)?
Examining rule in access list
(/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/devu/deploy)?
cfservd: Host hognose.arcsystems.com denied access to
/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2
The symlink is treated differently by the access control logic.
On Thu, 2005-12-29 at 16:16 -0600, Mark Burgess wrote:
>
> As I understand it, you can copy file objects of any kind from a real
> directory, without symlinks in the path, if there is a granted path
> that
> does not rely on the use of symlinks. Cfservd expands out the
> symlinks
> to check where the file actually points to.
>
> M
>
> On Thu, 2005-12-29 at 16:09 -0600, Bill Gunter wrote:
> > Hmmm. I understand that you have to use the actual directory and not
> a
> > symlink in the "admit" directive of cfservd.conf, but that's not
> the
> > problem here. To work around the problem I changed the copy
> directive,
> > not the admit directive. Are you saying that you can't copy
> symlinks
> > from a symlinked directory?
> >
> > On Thu, 2005-12-29 at 16:03 -0600, Mark Burgess wrote:
> > >
> > > That is a documented security feature, not a bug.
> > > M
> > >
> > > On Thu, 2005-12-29 at 14:06 -0600, Bill Gunter wrote:
> > > > Okay, found the problem with the symlinks. Apparently the
> access
> > > control
> > > > is getting confused. I've allowed access with
> > > >
> > > > admit:
> > > > cfengine_server::
> > > > /directory *.domain.com
> > > >
> > > > But the copy directive says
> > > >
> > > > class::
> > > > /symlink_to_directory
> > > >
> > > > This works with regular files contained in /directory but not
> with
> > > > symlinks to files in the same directory. I changed the copy
> > > directive to
> > > > use the actual directory and not the symlink to it and it works
> > > fine.
> > > > This seems like a bug to me.
> > > >
> > > >
> > > > On Thu, 2005-12-29 at 13:03 -0600, Mark Burgess wrote:
> > > > >
> > > > > Look at the output of cfservd -d2 to see why this is
> happening.
> > > If
> > > > > you
> > > > > are traversing links, that is not honoured by access control.
> > > This
> > > > > has
> > > > > always been true
> > > > > M
> > > > >
> > > > > On Thu, 2005-12-29 at 12:46 -0600, Bill Gunter wrote:
> > > > > > v2.1.18 of cfservd (still v2.1.15 of cfagent) gives
> slightly
> > > > > different
> > > > > > errors, but the same results. It says "Unspecified refusal
> by
> > > > > server"
> > > > > > instead of "Host authorization/authentication failed or
> access
> > > > > denied"
> > > > > >
> > > > > > On Thu, 2005-12-29 at 12:21 -0600, Mark Burgess wrote:
> > > > > > >
> > > > > > > What does 2.1.18 do?
> > > > > > >
> > > > > > > On Thu, 2005-12-29 at 11:43 -0600, Bill Gunter wrote:
> > > > > > > > I've configured a copy directive and the symlinks that
> exist
> > > in
> > > > > the
> > > > > > > > directory being copied are not being copied, but all
> the
> > > > > regular
> > > > > > > files
> > > > > > > > in the directory are being copied.
> > > > > > > >
> > > > > > > > cfservd is throwing this error for each symlink:
> > > > > > > >
> > > > > > > > Dec 29 11:34:58 HOST cfservd[12692]: [ID 823470
> > > daemon.error]
> > > > > Host
> > > > > > > > REMOTE denied access to /directory/symlink
> > > > > > > > Dec 29 11:34:58 HOST cfservd[12692]: [ID 702911
> > > daemon.notice]
> > > > > Host
> > > > > > > > authorization/authentication failed or access denied
> > > > > > > > Dec 29 11:34:58 HOST cfservd[12692]: [ID 702911
> > > daemon.notice]
> > > > > From
> > > > > > > > (host=REMOTE,user=root,ip=::ffff:111.111.111.111)
> > > > > > > > Dec 29 11:34:58 HOST cfservd[12692]: [ID 823470
> > > daemon.error]
> > > > > ID
> > > > > > > from
> > > > > > > > connecting host: (SYNCH 1135877698
> > > STAT /directory/symlink)
> > > > > > > >
> > > > > > > > Here's the directive.
> > > > > > > >
> > > > > > > > class::
> > > > > > > > /directory
> > > > > > > > server=$(server)
> > > > > > > > dest=/remote_directory
> > > > > > > > owner=root
> > > > > > > > backup=false
> > > > > > > > recurse=inf
> > > > > > > > timestamps=keep
> > > > > > > >
> > > > > > > > I'm using v.2.1.15.
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > >
> > > > >
> > >
> > >
>
>
--
Bill Gunter
Assistant Director of Information Systems
ARC Systems
P: 512.358.5377
F: 512.892.5552
<www.arcsystems.com>
- problems copying symlinks, Bill Gunter, 2005/12/29
- Re: problems copying symlinks, Mark Burgess, 2005/12/29
- Re: problems copying symlinks, Bill Gunter, 2005/12/29
- Re: problems copying symlinks, Mark Burgess, 2005/12/29
- Re: problems copying symlinks, Bill Gunter, 2005/12/29
- Re: problems copying symlinks, Bill Gunter, 2005/12/29
- Re: problems copying symlinks, Mark Burgess, 2005/12/29
- Re: problems copying symlinks, Bill Gunter, 2005/12/29
- Re: problems copying symlinks, Mark Burgess, 2005/12/29
- Re: problems copying symlinks,
Bill Gunter <=