-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thursday 08 November 2007, Iwan Vosloo wrote:> Hi there,
>
> What do you people do when distributing files that only root should have
> read access to?
>
> What we''ve done is to put them in /etc/puppet/files (which is
configured
> to be a location served by puppet''s file server). Then we let
puppet own
> everything underneath /etc/puppet/files, and make those sensitive files
> readable only by the puppet user.
>
> In Ubuntu (which we use), puppetmaster runs as the puppet user, so it
> can then access the files and serve them up to clients. Those run as
> root and can install the files at their destinations with the proper
> ownership and access.
>
> But this means that, on the puppet master machine, the puppet user holds
> the keys (literally) to many important things...
>
> Any ideas/suggestions?
I have a seperate /etc/puppet/secrets directory where all sensitive stuff is
located. This directory is not under public version control and only read by
file() calls. Of course this still has to be readably by the puppet user, but
this cannot be circumvented. Also, being puppet on the master means being
root on all boxes, so I don''t really see access to the keys as an
additional
problem.
Regards, David
- --
The primary freedom of open source is not the freedom from cost, but the free-
dom to shape software to do what you want. This freedom is /never/ exercised
without cost, but is available /at all/ only by accepting the very different
costs associated with open source, costs not in money, but in time and effort.
- -- http://www.schierer.org/~luke/log/20070710-1129/on-forks-and-forking
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHMyGn/Pp1N6Uzh0URAtMuAJ4x/WAC0zfV3AeeZ4GIbpugg/JPqACffG2i
r6m+5qsbrvEqLc6zC0Kge4w=TdC8
-----END PGP SIGNATURE-----