help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

dir perm on /var/cfengine keeps getting reset to 755


From: stucky
Subject: dir perm on /var/cfengine keeps getting reset to 755
Date: Fri, 17 Mar 2006 10:52:09 -0800

I had sent this before but maybe I was a little fast cause my list enrollment confirmation hadn't come in yet.
Now I'm thinking the stuff got lost so I'm sending it again.
Sorry if it shows up twice.

guys

First of all - contrats on a fabulous product !! I love it and embrace it !!
Of course, there are little things here and there I don't quite get yet and here is one of them:

I have a bunch of files: directives to make sure permissions are ok f.e.

/var/cfengine            mode=700
                                owner=root
                                group=root
                                action="">                                 inform=true


YES i have inform set to true cause those perms shouldn't change and i wanna know if they do.
Because of that inform flag I receive an email every hour that the permission of that dir was changed from 755 to 700.
I was amazed first how this can happen till I realized that it's cfagent itself that changes the perm back to 755
during the update.conf phase and immediately back to 700 during the cfagent phase. Question is why ?

1. Permissions are fine:

address@hidden stucky]# ls -l /var/
total 160
drwxr-xr-x   2 root    root     4096 Jul  8  2005 account
drwxr-xr-x   6 root    root     4096 Dec  7 18:58 cache
drwx------   9 root    root     4096 Mar 15 23:39 cfengine

2. I run JUST the update phase of cfagent and the perm get set to 755:

address@hidden stucky]# /var/cfengine/bin/cfagent -If /var/cfengine/inputs/update.conf
address@hidden stucky]# ls -l /var/
total 160
drwxr-xr-x   2 root    root     4096 Jul  8  2005 account
drwxr-xr-x   6 root    root     4096 Dec  7 18:58 cache
drwxr-xr-x   9 root    root     4096 Mar 15 23:39 cfengine

3. Of course cfagent now has to fix that again:

address@hidden stucky]# /var/cfengine/bin/cfagent -I --no-lock --no-splay
cfengine:cfengine: 5 processes matched sshd (should be <=4)
cfengine:cfengine: Object /var/cfengine had permission 755, changed it to 700
cfengine:cfengine: Update of image /etc/profile from master /usr/local/cfengine/masterfiles/configs/generic/profile on x.x.x.x
cfengine:cfengine: Object /etc/profile had permission 600, changed it to 644

cfengine:cfengine: Update of image /etc/hosts from master /usr/local/cfengine/masterfiles/configs/generic/hosts on x.x.x.x
cfengine:cfengine: Object /etc/hosts had permission 600, changed it to 644

As you can see this also happens with a bunch of other files like f.e /etc/hosts. I made sure this file gets copied from
the master with the right permissions:

$(configpath)/generic/hosts         dest=/etc/hosts
                                                     owner=root
                                                     group=root
                                                     mode=644
                                                     type=checksum
                                                     backup=false
                                                     server=$(masterhost)

I have no idea where the 600 permission comes from for /etc/hosts or 755 for /var/cfengine or any of the others. Funny enough,
some perms just stay the way they were set and I can't figure out how they differ from the others.

I don't see anything in update.conf that sets permissions on /var/cfengine or anything.

Here is my update.conf:

control:
   smtpserver           = ( smtp1.domain.net )
   sysadm               = ( address@hidden )
   actionsequence       = ( copy tidy )
   ChecksumDatabase     = ( /var/cfengine/cfdb )
   ChecksumUpdates      = ( true )
   domain               = ( domain.net )
   workdir              = ( /var/cfengine )
   policyhost           = ( x.x.x.x )
   master_cfinput       = ( /usr/local/cfengine/masterfiles/configs/cfengine )
   cf_install_dir_el3   = ( /usr/local/cfengine/masterfiles/binaries/el3 )
   cf_install_dir_el4   = ( /usr/local/cfengine/masterfiles/binaries/el4 )


copy:
   $(master_cfinput)/update.conf        dest=$(workdir)/inputs/update.conf
                                                            mode=644
                                                            type=binary
                                                            server=$(policyhost)

   $(master_cfinput)/cfagent.conf       dest=$(workdir)/inputs/cfagent.conf
                                                           mode=644
                                                           type=binary
                                                           server=$(policyhost)


  redhat_es_3::
   $(cf_install_dir_el3)/cfagent        dest=$(workdir)/bin/cfagent
                                                       mode=755
                                                       type=checksum
                                                       server=$(policyhost)

   $(cf_install_dir_el3)/cfservd        dest=$(workdir)/bin/cfservd
                                                      mode=755
                                                      type=checksum
                                                      server=$(policyhost)

   $(cf_install_dir_el3)/cfexecd        dest=$(workdir)/bin/cfexecd
                                                       mode=755
                                                       type=checksum
                                                       server=$(policyhost)

   $(cf_install_dir_el3)/cfenvd         dest=$(workdir)/bin/cfenvd
                                                      mode=755
                                                      type=checksum
                                                      server=$(policyhost)

  redhat_es_4::
   $(cf_install_dir_el4)/cfagent        dest=$(workdir)/bin/cfagent
                                                       mode=755
                                                       type=checksum
                                                       server=$(policyhost)

   $(cf_install_dir_el4)/cfservd        dest=$(workdir)/bin/cfservd
                                                      mode=755
                                                      type=checksum
                                                      server=$(policyhost)

   $(cf_install_dir_el4)/cfexecd        dest=$(workdir)/bin/cfexecd
                                                       mode=755
                                                       type=checksum
                                                       server=$(policyhost)

   $(cf_install_dir_el4)/cfenvd         dest=$(workdir)/bin/cfenvd
                                                      mode=755
                                                      type=checksum
                                                      server=$(policyhost)

tidy:

   $(workdir)/outputs        pattern=*
                                        age=7

I tried running  /var/cfengine/bin/cfagent -d2  but poking through the massive output of that I couldn't find anything that sets
the directry permission on /var/cfengine. I can see plenty of permissions on the binaries that need to be copied to the clients.
Also nothing about /etc/hosts in there.

Yet it appears that this update.conf changes a bunch of permissions that cfagent then has to fix again.
I could just turn off the inform flag but this is really bugging me. Is is one of those things where I totally didn't grasp
the concept of cfengine and I'm using it the wrong way ? I wouldnt' think so since it has been working very well for me
otherwise and I really appreciate it as a tool. Can anyone give me a hint ?
Thx


--
stucky
reply via email to

[Prev in Thread] Current Thread [Next in Thread]