Puppet users - Jun 2012 - What permissions should these folders have?

Hi,

Is there is an official Puppet stance on what the permissions of these 
files/directories should be on the Puppet Master? I''m looking for the 
minimum necessary permissions (ie: the most secure):


   1. /etc/puppet/manifests
   2. /usr/share/puppet
   3. /usr/lib/ruby/gems/1.8/specifications/*.gemspec
   4. /usr/lib/ruby/gems/1.8/gems/passenger-X.Y.Z


In order to get my puppet master (v2.7.14) to run under apache (v2.2.15) 
using passenger (v3.0.12) on Cent OS (v6.2), I had to do the following:

chown puppet /etc/puppet/manifests
chmod -R 755 /usr/share/puppet
chmod 755 /usr/lib/ruby/gems/1.8/specifications/*.gemspec
chown -R puppet /usr/lib/ruby/gems/1.8/gems/passenger-3.0.12

Do any of the above changes yield a security risk I should be aware of?

Thanks in advance :)

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/fIJRlRtBqloJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Jun 8, 7:43 pm, Michael Altfield
<michael.altfield.data...@gmail.com> wrote:
> Hi,
>
> Is there is an official Puppet stance on what the permissions of these
> files/directories should be on the Puppet Master?

I''ve never seen one, but maybe the Enterprise group has unpublished
recommendations.  It probably depends to some extent on exactly what
software stack you are running.  PE maybe different than the open-
source edition, passenger may have more needs than webrick, etc..

> I''m looking for the
> minimum necessary permissions (ie: the most secure):
>
>    1. /etc/puppet/manifests

The puppet master process needs to read and traverse those
directories.  Nobody needs to write there during normal operations,
but obviously write permission is required to update your manifests.
Supposing, then, that the Puppet master runs as user ''puppet'',
I''d say
the most secure configuration feasible is for the whole tree to be
owned by user ''puppet'', group 0, with permissions 400 for
files and
500 for directories.  The same for all directories in your module
path.

>    2. /usr/share/puppet
>    3. /usr/lib/ruby/gems/1.8/specifications/*.gemspec
>    4. /usr/lib/ruby/gems/1.8/gems/passenger-X.Y.Z

I''m not sure about the gem directories.  I don''t use gems, and
I don''t
even particularly like them.  I prefer to stick to just one packaging
system per machine.

> In order to get my puppet master (v2.7.14) to run under apache (v2.2.15)
> using passenger (v3.0.12) on Cent OS (v6.2), I had to do the following:
>
> chown puppet /etc/puppet/manifests
> chmod -R 755 /usr/share/puppet
> chmod 755 /usr/lib/ruby/gems/1.8/specifications/*.gemspec
> chown -R puppet /usr/lib/ruby/gems/1.8/gems/passenger-3.0.12
>
> Do any of the above changes yield a security risk I should be aware of?

Your puppetmaster is unlikely to require any of those directories to
allow any "world" access permissions.  If you know which users need
access (and you should), then at worst you should be able to grant the
access they need via "group" permissions, even if you have to create a
supplementary group for that purpose (i.e. 750).  Granting *any*
unneeded access increases your security risk to some degree.

Also, you should not grant execute permission to non-executable
regular files, which is most, perhaps all of the contents of the
directories you listed.  Therefore, I would follow up the above with,
for example,

find /usr/share/puppet -not -type d -exec chmod ugo-x {} \;

Similar for the passenger directory, though there may be one or two
files in there that need to be executable.


John



-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Thanks John,

Do you have any recommendations on /var/lib/puppet?


Cheers,
Michael

On Monday, June 11, 2012 9:20:05 AM UTC-4, jcbollinger
wrote:
>
>
>
> On Jun 8, 7:43 pm, Michael Altfield 
> <michael.altfield.data...@gmail.com> wrote: 
> > Hi, 
> > 
> > Is there is an official Puppet stance on what the permissions of these
> > files/directories should be on the Puppet Master? 
>
>
> I''ve never seen one, but maybe the Enterprise group has
unpublished
> recommendations.  It probably depends to some extent on exactly what 
> software stack you are running.  PE maybe different than the open- 
> source edition, passenger may have more needs than webrick, etc.. 
>
>
> > I''m looking for the 
> > minimum necessary permissions (ie: the most secure): 
> > 
> >    1. /etc/puppet/manifests 
>
>
> The puppet master process needs to read and traverse those 
> directories.  Nobody needs to write there during normal operations, 
> but obviously write permission is required to update your manifests. 
> Supposing, then, that the Puppet master runs as user
''puppet'', I''d say
> the most secure configuration feasible is for the whole tree to be 
> owned by user ''puppet'', group 0, with permissions 400 for
files and
> 500 for directories.  The same for all directories in your module 
> path. 
>
>
> >    2. /usr/share/puppet 
> >    3. /usr/lib/ruby/gems/1.8/specifications/*.gemspec 
> >    4. /usr/lib/ruby/gems/1.8/gems/passenger-X.Y.Z 
>
>
> I''m not sure about the gem directories.  I don''t use
gems, and I don''t
> even particularly like them.  I prefer to stick to just one packaging 
> system per machine. 
>
>
> > In order to get my puppet master (v2.7.14) to run under apache
(v2.2.15)
> > using passenger (v3.0.12) on Cent OS (v6.2), I had to do the
following:
> > 
> > chown puppet /etc/puppet/manifests 
> > chmod -R 755 /usr/share/puppet 
> > chmod 755 /usr/lib/ruby/gems/1.8/specifications/*.gemspec 
> > chown -R puppet /usr/lib/ruby/gems/1.8/gems/passenger-3.0.12 
> > 
> > Do any of the above changes yield a security risk I should be aware
of?
>
>
> Your puppetmaster is unlikely to require any of those directories to 
> allow any "world" access permissions.  If you know which users
need
> access (and you should), then at worst you should be able to grant the 
> access they need via "group" permissions, even if you have to
create a
> supplementary group for that purpose (i.e. 750).  Granting *any* 
> unneeded access increases your security risk to some degree. 
>
> Also, you should not grant execute permission to non-executable 
> regular files, which is most, perhaps all of the contents of the 
> directories you listed.  Therefore, I would follow up the above with, 
> for example, 
>
> find /usr/share/puppet -not -type d -exec chmod ugo-x {} \; 
>
> Similar for the passenger directory, though there may be one or two 
> files in there that need to be executable. 
>
>
> John 
>
>
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/HIk8RDnFwMQJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Tuesday, June 26, 2012 9:22:25 PM UTC-5, Michael Altfield
wrote:
>
>
> Do you have any recommendations on /var/lib/puppet?
>
>
The functional requirements for this directory on the master are similar to 
the requirements for /etc/puppet/manifests, but the master may need to 
write here.  On clients, the agent needs to write there, but it normally 
runs with root privilege.  Probably puppet:root, 700 / 600 is the best you 
can do with ownership and standard file permissions for this directory on 
the master.  


John

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/qwgnlL70QZEJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.