help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: problems copying symlinks


From: Mark Burgess
Subject: Re: problems copying symlinks
Date: Sun, 01 Jan 2006 20:08:47 +0100

Ah - ok, I see. Well, the expansion is preformed by the posix realpath
function which is supposed to deliver the correct patrh without symbolic
links.  What I see now is that, if the final node (not the path) in a
link, then the realpath is not computed. So you are right, this is not
consistent and I'm not sure why I did that. I'll think about it some
more to decide whether I was smarter or dummer than I am now.

M

On Sun, 2006-01-01 at 12:52 -0600, Bill Gunter wrote:
> I understand all that. I guess I'm not making myself clear. I'll try again. 
> In the example the regular file (check_dns)  path is expanded to have /devu 
> as the root. This is correct behavior. However, the symlink file (check_udp2) 
> path is expanded differently to have /u as the root. /u is a symlink to 
> /devu. Why does the path expand to a symlink?
> --------------------------
> Sent from my BlackBerry Wireless Handheld
>  
> 
> -----Original Message-----
> From: Mark Burgess
> To: Bill Gunter
> CC: address@hidden
> Sent: Sun Jan 01 12:47:59 2006
> Subject: Re: problems copying symlinks
> 
> 
> Right, cfengine does not honour symbolic links, because a completely
> unauthorized person might have added that symbolic link, and then
> suddenly the server would be serving up files that were meant to be
> private. Those are the rules of cfengine's security model. "It's for
> your own protection!" :) It's not a bug.
> 
> On Sun, 2006-01-01 at 12:43 -0600, Bill Gunter wrote:
> > Precisely. The symlink is treated differently from the regular file when 
> > the full path is determined. The regular file has /devu as the root while 
> > the symlink has /u. I can work around by putting both /devu and /u in the 
> > Allow directive, but why is this necessary? /u is a symlink to /devu. 
> > --------------------------
> > Sent from my BlackBerry Wireless Handheld
> >  
> > 
> > -----Original Message-----
> > From: Mark Burgess
> > To: Bill Gunter
> > CC: address@hidden
> > Sent: Sun Jan 01 12:37:25 2006
> > Subject: Re: problems copying symlinks
> > 
> > There is a flaw in your example
> > 
> > On Fri, 2005-12-30 at 09:46 -0600, Bill Gunter wrote:
> > > I really think this is a bug. Here's the output from "cfservd -d2" for
> > > two different files in the source tree. The first (check_dns) is a
> > > regular file and the second (check_udp2) is a symlink to a regular file
> > > in the same directory. On the source machine /u is a symlink to /devu.
> > > 
> > > Received: [SYNCH 1135957075 STAT 
> > > /u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns] on socket 7
> > > AccessControl(/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns)
> > > AccessControl(/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,hognose.arcsystems.com)
> > >  encrypt request=1
> > > Examining rule in access list 
> > > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/var/cfengine/ppkeys/localhost.pub)?
> > > Examining rule in access list 
> > > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/u1/cfengine)?
> > > Examining rule in access list 
> > > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/cfengine)?
> > > Examining rule in access list 
> > > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/etc/init.d)?
> > > Examining rule in access list 
> > > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/opt)?
> > > Examining rule in access list 
> > > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/usr/local)?
> > > Examining rule in access list 
> > > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/etc)?
> > > Examining rule in access list 
> > > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/devu/deploy)?
> > > Found a matching rule in access list 
> > > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/devu/deploy)
> > 
> > This matches your final entry
> > 
> > > 
> > > Received: [SYNCH 1135957075 STAT 
> > > /u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2] on socket 7
> > > AccessControl(/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2)
> > > AccessControl(/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,hognose.arcsystems.com)
> > >  encrypt request=1
> > > Examining rule in access list 
> > > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/var/cfengine/ppkeys/localhost.pub)?
> > > Examining rule in access list 
> > > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/u1/cfengine)?
> > > Examining rule in access list 
> > > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/cfengine)?
> > > Examining rule in access list 
> > > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/etc/init.d)?
> > > Examining rule in access list 
> > > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/opt)?
> > > Examining rule in access list 
> > > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/usr/local)?
> > > Examining rule in access list 
> > > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/etc)?
> > > Examining rule in access list 
> > > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/devu/deploy)?
> > > cfservd: Host hognose.arcsystems.com denied access to 
> > > /u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2
> > 
> > This doesn't match your final entry /u != /devu
> > 
> > 
> > M
> > 
> > 
> > 
> 
> 
> 





reply via email to

[Prev in Thread] Current Thread [Next in Thread]