[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: problems copying symlinks
From: |
Mark Burgess |
Subject: |
Re: problems copying symlinks |
Date: |
Sun, 01 Jan 2006 20:08:47 +0100 |
Ah - ok, I see. Well, the expansion is preformed by the posix realpath
function which is supposed to deliver the correct patrh without symbolic
links. What I see now is that, if the final node (not the path) in a
link, then the realpath is not computed. So you are right, this is not
consistent and I'm not sure why I did that. I'll think about it some
more to decide whether I was smarter or dummer than I am now.
M
On Sun, 2006-01-01 at 12:52 -0600, Bill Gunter wrote:
> I understand all that. I guess I'm not making myself clear. I'll try again.
> In the example the regular file (check_dns) path is expanded to have /devu
> as the root. This is correct behavior. However, the symlink file (check_udp2)
> path is expanded differently to have /u as the root. /u is a symlink to
> /devu. Why does the path expand to a symlink?
> --------------------------
> Sent from my BlackBerry Wireless Handheld
>
>
> -----Original Message-----
> From: Mark Burgess
> To: Bill Gunter
> CC: help-cfengine@gnu.org
> Sent: Sun Jan 01 12:47:59 2006
> Subject: Re: problems copying symlinks
>
>
> Right, cfengine does not honour symbolic links, because a completely
> unauthorized person might have added that symbolic link, and then
> suddenly the server would be serving up files that were meant to be
> private. Those are the rules of cfengine's security model. "It's for
> your own protection!" :) It's not a bug.
>
> On Sun, 2006-01-01 at 12:43 -0600, Bill Gunter wrote:
> > Precisely. The symlink is treated differently from the regular file when
> > the full path is determined. The regular file has /devu as the root while
> > the symlink has /u. I can work around by putting both /devu and /u in the
> > Allow directive, but why is this necessary? /u is a symlink to /devu.
> > --------------------------
> > Sent from my BlackBerry Wireless Handheld
> >
> >
> > -----Original Message-----
> > From: Mark Burgess
> > To: Bill Gunter
> > CC: help-cfengine@gnu.org
> > Sent: Sun Jan 01 12:37:25 2006
> > Subject: Re: problems copying symlinks
> >
> > There is a flaw in your example
> >
> > On Fri, 2005-12-30 at 09:46 -0600, Bill Gunter wrote:
> > > I really think this is a bug. Here's the output from "cfservd -d2" for
> > > two different files in the source tree. The first (check_dns) is a
> > > regular file and the second (check_udp2) is a symlink to a regular file
> > > in the same directory. On the source machine /u is a symlink to /devu.
> > >
> > > Received: [SYNCH 1135957075 STAT
> > > /u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns] on socket 7
> > > AccessControl(/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns)
> > > AccessControl(/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,hognose.arcsystems.com)
> > > encrypt request=1
> > > Examining rule in access list
> > > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/var/cfengine/ppkeys/localhost.pub)?
> > > Examining rule in access list
> > > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/u1/cfengine)?
> > > Examining rule in access list
> > > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/cfengine)?
> > > Examining rule in access list
> > > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/etc/init.d)?
> > > Examining rule in access list
> > > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/opt)?
> > > Examining rule in access list
> > > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/usr/local)?
> > > Examining rule in access list
> > > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/etc)?
> > > Examining rule in access list
> > > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/devu/deploy)?
> > > Found a matching rule in access list
> > > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/devu/deploy)
> >
> > This matches your final entry
> >
> > >
> > > Received: [SYNCH 1135957075 STAT
> > > /u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2] on socket 7
> > > AccessControl(/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2)
> > > AccessControl(/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,hognose.arcsystems.com)
> > > encrypt request=1
> > > Examining rule in access list
> > > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/var/cfengine/ppkeys/localhost.pub)?
> > > Examining rule in access list
> > > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/u1/cfengine)?
> > > Examining rule in access list
> > > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/cfengine)?
> > > Examining rule in access list
> > > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/etc/init.d)?
> > > Examining rule in access list
> > > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/opt)?
> > > Examining rule in access list
> > > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/usr/local)?
> > > Examining rule in access list
> > > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/etc)?
> > > Examining rule in access list
> > > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/devu/deploy)?
> > > cfservd: Host hognose.arcsystems.com denied access to
> > > /u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2
> >
> > This doesn't match your final entry /u != /devu
> >
> >
> > M
> >
> >
> >
>
>
>