help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "stealing" config files?


From: Ed Brown
Subject: Re: "stealing" config files?
Date: Thu, 09 Feb 2006 16:33:18 -0700

On Thu, 2006-02-09 at 16:59 -0500, Mihai Ibanescu wrote:

> Based on my understanding of cfengine, cfagent.conf (and any files in
> master_cfinput) will be synchronized to all clients. 

This is typically the case, but not at all a requirement.  We have a
team approach (which is just another class): everyone gets some common
files, and the appropriate set of team files.  You could be as fine-
grained as you want, down to individual files to individual machines.

> Then, the local cfagent
> will determine which files it needs, based on the classes the machine belongs
> to.

The local cfagent can try to copy anything it wants from the server,
including /etc/shadow etc, but access control is entirely server-side,
as you note next...

> Looking at the documentation, on the server-side, admit clauses in 
> cfservd.conf
> grant permission by host name, not by class; hence, there's no check that a
> cfagent requesting a particular file is entitled to receive it.

I don't follow you here.  Reverse dns lookups and particularly the
encrypted key exchange verify that both client and server are who they
say they are.  In what sense do you mean that there's 'no check'?   Even
if someone takes control of a client, they can only retrieve from the
server what has been made available to that client anyway. 

-Ed





reply via email to

[Prev in Thread] Current Thread [Next in Thread]