help-cfengine
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "stealing" config files?

From: Mihai Ibanescu
Subject: Re: "stealing" config files?
Date: Thu, 9 Feb 2006 18:56:52 -0500
User-agent: Mutt/1.4.2.1i 
On Thu, Feb 09, 2006 at 04:33:18PM -0700, Ed Brown wrote:
> On Thu, 2006-02-09 at 16:59 -0500, Mihai Ibanescu wrote:
> 
> > Based on my understanding of cfengine, cfagent.conf (and any files in
> > master_cfinput) will be synchronized to all clients. 
> 
> This is typically the case, but not at all a requirement.  We have a
> team approach (which is just another class): everyone gets some common
> files, and the appropriate set of team files.  You could be as fine-
> grained as you want, down to individual files to individual machines.

OK, but once I got the common files, I can get the other team's files just by
defining myself as belonging to the class of the other team, can't I?

I presume you have something like this in cfagent.conf:

include:
    team1::
        cf.team1
    team2::
        cf.team2

copy:
    team1::
        /some/path/cf.team1
            dest = /some/path/cf.team1
    team2::
        /some/path/cf.team2
            test = /some/path/cf.team2

But this won't really prevent computer A belonging to the team1 class to copy
the cf.team2 file... all I have to do is invoke cfengine with --define team2

Well, unless in cfservd.conf you say

admit:
    /some/path/cf.team1 A.example.com
    /some/path/cf.team2 B.example.com

but unfortunately in cfservd.conf access is granted by hostname, not by class
- so you have to redefine the relationship file-to-host again, which is so
nicely modeled through classes in cfagent.

> I don't follow you here.  Reverse dns lookups and particularly the
> encrypted key exchange verify that both client and server are who they
> say they are.  In what sense do you mean that there's 'no check'?   Even
> if someone takes control of a client, they can only retrieve from the
> server what has been made available to that client anyway. 

Yes, DNS and keys will verify that machine A is indeed machine A. But
see the example above - unless you go to a very finegrained access control in
cfservd.conf (to the point of listing each individual file and each machine it
should have access to), you don't actually protect the files.

Please note, this may be a rather unusual usage of cfengine. Also, not all
files are that security sensitive, and for the ones that truly are, you can go
the extra mile to update cfservd.conf. It just struck me as strange that
access control on the server side is not done at the class level too - and I
bet most sysadmins will think their files are safe. Based on my understanding,
cfengine trusts the client not to request files it doesn't need, which may not
be the case at all.

I hope this clarifies better what I meant.

Misa
reply via email to
[Prev in Thread] Current Thread [Next in Thread]