Re: problems copying symlinks

help-cfengine

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: problems copying symlinks

From:	Mark Burgess
Subject:	Re: problems copying symlinks
Date:	Sun, 01 Jan 2006 19:47:59 +0100

Right, cfengine does not honour symbolic links, because a completely
unauthorized person might have added that symbolic link, and then
suddenly the server would be serving up files that were meant to be
private. Those are the rules of cfengine's security model. "It's for
your own protection!" :) It's not a bug.

On Sun, 2006-01-01 at 12:43 -0600, Bill Gunter wrote:
> Precisely. The symlink is treated differently from the regular file when the 
> full path is determined. The regular file has /devu as the root while the 
> symlink has /u. I can work around by putting both /devu and /u in the Allow 
> directive, but why is this necessary? /u is a symlink to /devu. 
> --------------------------
> Sent from my BlackBerry Wireless Handheld
>  
> 
> -----Original Message-----
> From: Mark Burgess
> To: Bill Gunter
> CC: help-cfengine@gnu.org
> Sent: Sun Jan 01 12:37:25 2006
> Subject: Re: problems copying symlinks
> 
> There is a flaw in your example
> 
> On Fri, 2005-12-30 at 09:46 -0600, Bill Gunter wrote:
> > I really think this is a bug. Here's the output from "cfservd -d2" for
> > two different files in the source tree. The first (check_dns) is a
> > regular file and the second (check_udp2) is a symlink to a regular file
> > in the same directory. On the source machine /u is a symlink to /devu.
> > 
> > Received: [SYNCH 1135957075 STAT 
> > /u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns] on socket 7
> > AccessControl(/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns)
> > AccessControl(/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,hognose.arcsystems.com)
> >  encrypt request=1
> > Examining rule in access list 
> > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/var/cfengine/ppkeys/localhost.pub)?
> > Examining rule in access list 
> > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/u1/cfengine)?
> > Examining rule in access list 
> > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/cfengine)?
> > Examining rule in access list 
> > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/etc/init.d)?
> > Examining rule in access list 
> > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/opt)?
> > Examining rule in access list 
> > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/usr/local)?
> > Examining rule in access list 
> > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/etc)?
> > Examining rule in access list 
> > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/devu/deploy)?
> > Found a matching rule in access list 
> > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/devu/deploy)
> 
> This matches your final entry
> 
> > 
> > Received: [SYNCH 1135957075 STAT 
> > /u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2] on socket 7
> > AccessControl(/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2)
> > AccessControl(/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,hognose.arcsystems.com)
> >  encrypt request=1
> > Examining rule in access list 
> > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/var/cfengine/ppkeys/localhost.pub)?
> > Examining rule in access list 
> > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/u1/cfengine)?
> > Examining rule in access list 
> > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/cfengine)?
> > Examining rule in access list 
> > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/etc/init.d)?
> > Examining rule in access list 
> > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/opt)?
> > Examining rule in access list 
> > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/usr/local)?
> > Examining rule in access list 
> > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/etc)?
> > Examining rule in access list 
> > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/devu/deploy)?
> > cfservd: Host hognose.arcsystems.com denied access to 
> > /u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2
> 
> This doesn't match your final entry /u != /devu
> 
> 
> M
> 
> 
>

[Prev in Thread]

Current Thread

[Next in Thread]

Re: problems copying symlinks, Mark Burgess, 2006/01/01
- Re: problems copying symlinks, Bill Gunter, 2006/01/01
  - Re: problems copying symlinks, Mark Burgess <=
- Re: problems copying symlinks, Bill Gunter, 2006/01/01
  - Re: problems copying symlinks, Mark Burgess, 2006/01/01
- Re: problems copying symlinks, Bill Gunter, 2006/01/01

Prev by Date: Re: problems copying symlinks
Next by Date: Re: problems copying symlinks
Previous by thread: Re: problems copying symlinks
Next by thread: Re: problems copying symlinks
Index(es):
- Date
- Thread