Trevor Vaughan
2007-Jul-27 03:43 UTC
Patch to tighten down the permissions and ownership in configuration.rb
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Attached is a patch which attempts to enforce ''proper'' permissions of all files controlled directly by the puppet processes. All owners and groups are explicitly set as are all permissions. The idea is that the Puppet process configuration files should be relatively tamper resistant and at least throw a warning that the permissions have been changed and make them proper. I haven''t tested this new version yet, but hopefully I will when I rebuild my VMs :-/. Trevor -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGqWnzmiOKeJOeocsRCv90AJ0aFOwpsNX2cWW89YlzUuJtQEjWkACgjWdx HKR2RYlgQgikd7PP153+jKw=KWmU -----END PGP SIGNATURE----- _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
Luke Kanies
2007-Jul-30 16:30 UTC
Re: Patch to tighten down the permissions and ownership in configuration.rb
On Jul 26, 2007, at 10:43 PM, Trevor Vaughan wrote:> Attached is a patch which attempts to enforce ''proper'' permissions of > all files controlled directly by the puppet processes. > > All owners and groups are explicitly set as are all permissions. > > The idea is that the Puppet process configuration files should be > relatively tamper resistant and at least throw a warning that the > permissions have been changed and make them proper.As with your other patch, I''d appreciate it if you''d open a ticket with this patch. Unfortunately, I''m not convinced that all of these changes will work. In particular, puppetmasterd does not run as root but uses the same host cert as puppetd, which means that the master will not be able to start if the ssldir is 750 and owned by root. The patch definitely needs to be tested on the master, since that''s the machine with the most complicated ownership requirements. -- If a dog jumps onto your lap it is because he is fond of you; but if a cat does the same thing it is because your lap is warmer. -- Alfred North Whitehead --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
Trevor Vaughan
2007-Jul-30 17:30 UTC
Re: Patch to tighten down the permissions and ownership in configuration.rb
I''ve just about got my VM''s reconfigured (stupid lack of memory :-), so I''ll get it tested and in as soon as I can. Thanks, Trevor On 7/30/07, Luke Kanies <luke@madstop.com> wrote:> On Jul 26, 2007, at 10:43 PM, Trevor Vaughan wrote: > > > Attached is a patch which attempts to enforce ''proper'' permissions of > > all files controlled directly by the puppet processes. > > > > All owners and groups are explicitly set as are all permissions. > > > > The idea is that the Puppet process configuration files should be > > relatively tamper resistant and at least throw a warning that the > > permissions have been changed and make them proper. > > As with your other patch, I''d appreciate it if you''d open a ticket > with this patch. > > Unfortunately, I''m not convinced that all of these changes will > work. In particular, puppetmasterd does not run as root but uses the > same host cert as puppetd, which means that the master will not be > able to start if the ssldir is 750 and owned by root. > > The patch definitely needs to be tested on the master, since that''s > the machine with the most complicated ownership requirements. > > -- > If a dog jumps onto your lap it is because he is fond of you; but if a > cat does the same thing it is because your lap is warmer. > -- Alfred North Whitehead > --------------------------------------------------------------------- > Luke Kanies | http://reductivelabs.com | http://madstop.com > > > _______________________________________________ > Puppet-users mailing list > Puppet-users@madstop.com > https://mail.madstop.com/mailman/listinfo/puppet-users >