help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: problems copying symlinks


From: Bill Gunter
Subject: Re: problems copying symlinks
Date: Sun, 1 Jan 2006 12:52:55 -0600

I understand all that. I guess I'm not making myself clear. I'll try again. In 
the example the regular file (check_dns)  path is expanded to have /devu as the 
root. This is correct behavior. However, the symlink file (check_udp2) path is 
expanded differently to have /u as the root. /u is a symlink to /devu. Why does 
the path expand to a symlink?
--------------------------
Sent from my BlackBerry Wireless Handheld
 

-----Original Message-----
From: Mark Burgess
To: Bill Gunter
CC: address@hidden
Sent: Sun Jan 01 12:47:59 2006
Subject: Re: problems copying symlinks


Right, cfengine does not honour symbolic links, because a completely
unauthorized person might have added that symbolic link, and then
suddenly the server would be serving up files that were meant to be
private. Those are the rules of cfengine's security model. "It's for
your own protection!" :) It's not a bug.

On Sun, 2006-01-01 at 12:43 -0600, Bill Gunter wrote:
> Precisely. The symlink is treated differently from the regular file when the 
> full path is determined. The regular file has /devu as the root while the 
> symlink has /u. I can work around by putting both /devu and /u in the Allow 
> directive, but why is this necessary? /u is a symlink to /devu. 
> --------------------------
> Sent from my BlackBerry Wireless Handheld
>  
> 
> -----Original Message-----
> From: Mark Burgess
> To: Bill Gunter
> CC: address@hidden
> Sent: Sun Jan 01 12:37:25 2006
> Subject: Re: problems copying symlinks
> 
> There is a flaw in your example
> 
> On Fri, 2005-12-30 at 09:46 -0600, Bill Gunter wrote:
> > I really think this is a bug. Here's the output from "cfservd -d2" for
> > two different files in the source tree. The first (check_dns) is a
> > regular file and the second (check_udp2) is a symlink to a regular file
> > in the same directory. On the source machine /u is a symlink to /devu.
> > 
> > Received: [SYNCH 1135957075 STAT 
> > /u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns] on socket 7
> > AccessControl(/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns)
> > AccessControl(/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,hognose.arcsystems.com)
> >  encrypt request=1
> > Examining rule in access list 
> > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/var/cfengine/ppkeys/localhost.pub)?
> > Examining rule in access list 
> > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/u1/cfengine)?
> > Examining rule in access list 
> > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/cfengine)?
> > Examining rule in access list 
> > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/etc/init.d)?
> > Examining rule in access list 
> > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/opt)?
> > Examining rule in access list 
> > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/usr/local)?
> > Examining rule in access list 
> > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/etc)?
> > Examining rule in access list 
> > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/devu/deploy)?
> > Found a matching rule in access list 
> > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/devu/deploy)
> 
> This matches your final entry
> 
> > 
> > Received: [SYNCH 1135957075 STAT 
> > /u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2] on socket 7
> > AccessControl(/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2)
> > AccessControl(/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,hognose.arcsystems.com)
> >  encrypt request=1
> > Examining rule in access list 
> > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/var/cfengine/ppkeys/localhost.pub)?
> > Examining rule in access list 
> > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/u1/cfengine)?
> > Examining rule in access list 
> > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/cfengine)?
> > Examining rule in access list 
> > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/etc/init.d)?
> > Examining rule in access list 
> > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/opt)?
> > Examining rule in access list 
> > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/usr/local)?
> > Examining rule in access list 
> > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/etc)?
> > Examining rule in access list 
> > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/devu/deploy)?
> > cfservd: Host hognose.arcsystems.com denied access to 
> > /u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2
> 
> This doesn't match your final entry /u != /devu
> 
> 
> M
> 
> 
> 




reply via email to

[Prev in Thread] Current Thread [Next in Thread]