Jamie Wilkinson
2006-Aug-07 00:34 UTC
[Puppet-users] question about wording of puppet''s use of classes.txt
Hey, I''m curious about the phrasing of a bit of the structures documentation, and what it means for puppet''s behaviour. http://reductivelabs.com/projects/puppet/documentation/structures.html says: All classes set on a Puppet client are stored in an external file (usually /etc/puppet/classes.txt, but can be modified with the classfile argument or setting). This means other tools can easily read in the classes that Puppet sets and use them for their own logic. Puppet doesn''t look to this file to work out the classes, does it? It gets told by the puppetmaster, right? So, this file gets written by puppet each time it''s run? I see a potential security hole if the clients can tell puppet what to do. I assume you''ve done the right thing, but just wanted to check ;-) (Also the FHS zealot inside me says the filename should be /var/lib/puppet/classes.txt , as it''s not a human writable config file, it''s machine generated.) -- Jamie Wilkinson Senior Systems Administrator and Infrastructure Architect Anchor Systems Hosting, Colocation, and Managed Servers http://anchor.com.au
Luke Kanies
2006-Aug-07 08:38 UTC
[Puppet-users] question about wording of puppet''s use of
Jamie Wilkinson wrote:> Hey, > > I''m curious about the phrasing of a bit of the structures documentation, and > what it means for puppet''s behaviour. > > http://reductivelabs.com/projects/puppet/documentation/structures.html > > says: > > All classes set on a Puppet client are stored in an external file > (usually /etc/puppet/classes.txt, but can be modified with the > classfile argument or setting). This means other tools can easily > read in the classes that Puppet sets and use them for their own > logic. > > > Puppet doesn''t look to this file to work out the classes, does it? It gets > told by the puppetmaster, right? So, this file gets written by puppet each > time it''s run?Correct, it''s written each run. The "modification" mentioned there means you can modify the path, not the file itself.> I see a potential security hole if the clients can tell puppet what to do. > I assume you''ve done the right thing, but just wanted to check ;-)Read-only, definitely.> (Also the FHS zealot inside me says the filename should be > /var/lib/puppet/classes.txt , as it''s not a human writable config file, it''s > machine generated.)Yeah yeah, Matt and David are hard at work fixing that, from what I understand. -- Man is the only animal that can remain on friendly terms with the victims he intends to eat until he eats them. -- Samuel Butler (1835-1902) --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com