help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

permission on certain files/dirs keep getting overwritten


From: stucky
Subject: permission on certain files/dirs keep getting overwritten
Date: Thu, 16 Mar 2006 15:14:36 -0800

guys

First of all - contrats on a fabulous product !! I love it and embrace it !!
Of course, there are little things here and there I don't quite get yet and here is one of them:

I have a bunch of files: directives to make sure permissions are ok f.e.

/var/cfengine            mode=700
                                owner=root
                                group=root
                                action="">                                 inform=true


YES i have inform set to true cause those perms shouldn't change and i wanna know if they do.
Because of that inform flag I receive an email every hour that the permission of that dir was changed from 755 to 700.
I was amazed first how this can happen till I realized that it's cfagent itself that changes the perm back to 755
during the update.conf phase and immediately back to 700 during the cfagent phase. Question is why ?

1. Permissions are fine:

address@hidden stucky]# ls -l /var/
total 160
drwxr-xr-x   2 root    root     4096 Jul  8  2005 account
drwxr-xr-x   6 root    root     4096 Dec  7 18:58 cache
drwx------   9 root    root     4096 Mar 15 23:39 cfengine

2. I run JUST the update phase of cfagent and the perm get set to 755:

address@hidden stucky]# /var/cfengine/bin/cfagent -If /var/cfengine/inputs/update.conf
address@hidden stucky]# ls -l /var/
total 160
drwxr-xr-x   2 root    root     4096 Jul  8  2005 account
drwxr-xr-x   6 root    root     4096 Dec  7 18:58 cache
drwxr-xr-x   9 root    root     4096 Mar 15 23:39 cfengine

3. Of course cfagent now has to fix that again:

address@hidden stucky]# /var/cfengine/bin/cfagent -I --no-lock --no-splay
cfengine:cfengine: 5 processes matched sshd (should be <=4)
cfengine:cfengine: Object /var/cfengine had permission 755, changed it to 700
cfengine:cfengine: Update of image /etc/profile from master /usr/local/cfengine/masterfiles/configs/generic/profile on x.x.x.x
cfengine:cfengine: Object /etc/profile had permission 600, changed it to 644

cfengine:cfengine: Update of image /etc/hosts from master /usr/local/cfengine/masterfiles/configs/generic/hosts on x.x.x.x
cfengine:cfengine: Object /etc/hosts had permission 600, changed it to 644

As you can see this also happens with a bunch of other files like f.e /etc/hosts. I made sure this file gets copied from
the master with the right permissions:

$(configpath)/generic/hosts         dest=/etc/hosts
                                                     owner=root
                                                     group=root
                                                     mode=644
                                                     type=checksum
                                                     backup=false
                                                     server=$(masterhost)

I have no idea where the 600 permission comes from for /etc/hosts or 755 for /var/cfengine or any of the others. Funny enough,
some perms just stay the way they were set and I can't figure out how they differ from the others.

I don't see anything in update.conf that sets permissions on /var/cfengine or anything.

Here is my update.conf:

control:
   smtpserver           = ( smtp1.domain.net )
   sysadm               = ( address@hidden )
   actionsequence       = ( copy tidy )
   ChecksumDatabase     = ( /var/cfengine/cfdb )
   ChecksumUpdates      = ( true )
   domain               = ( idf.net )
   workdir              = ( /var/cfengine )
   policyhost           = ( x.x.x.x )
   master_cfinput       = ( /usr/local/cfengine/masterfiles/configs/cfengine )
   cf_install_dir_el3   = ( /usr/local/cfengine/masterfiles/binaries/el3 )
   cf_install_dir_el4   = ( /usr/local/cfengine/masterfiles/binaries/el4 )


copy:
   $(master_cfinput)/update.conf        dest=$(workdir)/inputs/update.conf
                                                            mode=644
                                                            type=binary
                                                            server=$(policyhost)

   $(master_cfinput)/cfagent.conf       dest=$(workdir)/inputs/cfagent.conf
                                                           mode=644
                                                           type=binary
                                                           server=$(policyhost)


  redhat_es_3::
   $(cf_install_dir_el3)/cfagent        dest=$(workdir)/bin/cfagent
                                                       mode=755
                                                       type=checksum
                                                       server=$(policyhost)

   $(cf_install_dir_el3)/cfservd        dest=$(workdir)/bin/cfservd
                                                      mode=755
                                                      type=checksum
                                                      server=$(policyhost)

   $(cf_install_dir_el3)/cfexecd        dest=$(workdir)/bin/cfexecd
                                                       mode=755
                                                       type=checksum
                                                       server=$(policyhost)

   $(cf_install_dir_el3)/cfenvd         dest=$(workdir)/bin/cfenvd
                                                      mode=755
                                                      type=checksum
                                                      server=$(policyhost)

  redhat_es_4::
   $(cf_install_dir_el4)/cfagent        dest=$(workdir)/bin/cfagent
                                                       mode=755
                                                       type=checksum
                                                       server=$(policyhost)

   $(cf_install_dir_el4)/cfservd        dest=$(workdir)/bin/cfservd
                                                      mode=755
                                                      type=checksum
                                                      server=$(policyhost)

   $(cf_install_dir_el4)/cfexecd        dest=$(workdir)/bin/cfexecd
                                                       mode=755
                                                       type=checksum
                                                       server=$(policyhost)

   $(cf_install_dir_el4)/cfenvd         dest=$(workdir)/bin/cfenvd
                                                      mode=755
                                                      type=checksum
                                                      server=$(policyhost)

tidy:

   $(workdir)/outputs        pattern=*
                                        age=7

Yet it appears that this update.conf changes a bunch of permissions that cfagent then has to fix again.
I could just turn off the inform flag but this is really bugging me. Is is one of those things where I totally didn't grasp
the concept of cfengine and I'm using it the wrong way ? I wouldnt' think so since it has been working very well for me
otherwise and I really appreciate it as a tool. Can anyone give me a hint ?
Thx

Alex
--
stucky
reply via email to

[Prev in Thread] Current Thread [Next in Thread]