help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cfservd access question


From: Ed Brown
Subject: Re: cfservd access question
Date: Mon, 23 Jan 2006 16:57:18 -0700

While this doesn't perhaps get to the heart of your question, is there
any reason not to use the same expression (172.16.1.0/24 in your
example) in 'admit:' that you use in 'control:'?  

-Ed


On Mon, 2006-01-23 at 13:27 -0800, Bob Smith wrote:
> the following all takes place using cfengine 2.1.18 on Solaris 10. in this 
> environment the client's name is "elf.corp" and the client's dns domain is 
> "corp.abc.com". dns resolution works correctly in the environment.
> 
> using the examples supplied with the distribution I am attempting to create 
> an update.conf for my site. in the admit section of the sample cfservd.conf 
> access is granted based on a glob dns domain name match (i.e. 
> "*.iu.hioslo.no") however when I attempt to do the same type of thing for my 
> site I hit access restrictions.
> 
> my cfservd.conf looks like:
> 
> control:
> 
>   domain                        = ( corp.abc.com )
>   cfrunCommand                  = ( "/usr/local/sbin/cfagent" )
> 
>   any::
> 
>     IfElapsed                   = ( 1 )
>     ExpireAfter                 = ( 15 )
>     MaxConnections              = ( 50 )
>     MultipleConnections         = ( true )
>     LogAllConnections           = ( true )
>     AllowConnectionsFrom        = ( 172.16.1.0/24 )
>     TrustKeysFrom               = ( 172.16.1.0/24 )
>     AllowUsers                  = ( root )
> 
> admit:
>   /master_files/sysops/config_files   *.corp.abc.com
> 
> 
> 
> 
> 
> 
> my update.conf looks like:
> 
> control:
> 
>   actionsequence  = ( copy tidy )
>   domain          = ( corp.abc.com )
> 
>   policyhost      = ( monitor01.corp.abc.com )
>   master_cfinput  =
>         ( /master_files/sysops/config_files/env_dep/CORP/var/cfengine/inputs 
> )
> 
>   workdir         = ( /var/cfengine )
> 
> copy:
> 
>   $(master_cfinput)
>         dest=$(workdir)/inputs
>         timestamps=preserve
>         exclude=*.lst
>         exclude=*~
>         exclude=*,v
>         exclude=*-
>         exclude=#*
>         ignore=SCCS
>         ignore=RCS
>         recurse=inf
>         type=sum
>         server=$(policyhost)
>         trustkey=true
>         encrypt=true
> 
> 
> 
> 
> 
> 
> if I run cfservd in debug mode (-d3) I see the following:
> 
> Checking whether to map root privileges..
> 
> FuzzyItemIn(LIST,172.16.1.68)
> No root privileges granted
> WildMatch(elf.corp,*.corp.abc.com)
> WildMatch(*.corp.abc.com,elf.corp)
> WildMatch(172.16.1.68,*.corp.abc.com)
> WildMatch(*.corp.abc.com,172.16.1.68)
> 
> FuzzyItemIn(LIST,172.16.1.68)
> Try FuzzySetMatch(*.corp.abc.com,172.16.1.68)
> cfservd: Host elf.corp denied access to 
> /master_files/sysops/config_files/env_dep/CORP/var/cfengine/modules
> cfservd: Unspecified refusal by server
> 
> 
> 
> from this it appears to me that the server is not doing either of the 
> behaviors I would expect: (a) it is not comparing the "domain" value set in 
> the client's update.conf to the access list specified in the server's 
> cfservd.conf; (b) it is not resolving, via dns, the client's IP address and 
> comparing that to the access list specified in the server's cfservd.conf.
> 
> also, the documentation states, in section "4.3 Cfengine classes" 
> (http://www.cfengine.com/docs/cfengine-Reference.html#Cfengine-classes) that 
> "Cfengine uses both the unqualified and fully host names as classes. Some 
> sites and operating systems use fully qualified names for their hosts. i.e. 
> uname -n returns to full domain qualified hostname. This spoils the class 
> matching algorithms for cfengine, so cfengine automatically truncates names 
> which contain a dot `.' at the first `.' it encounters."
> 
> given this I would have expected that the hostname used by cfservd for 
> access list matching would have been "elf" not "elf.corp" as shown by the 
> debug output.
> 
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today - it's FREE! 
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> 
> 
> 
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@gnu.org
> http://lists.gnu.org/mailman/listinfo/help-cfengine
-- 
Ed Brown <ebrown@lanl.gov>





reply via email to

[Prev in Thread] Current Thread [Next in Thread]