Puppet users - Dec 2010 - security implications of a puppet run with sensitive data in the resources

Hi,

So I was asked a bit about implications of distributing something
sensitive through puppet.  After a client talks to the puppet server
(giving its local facts) and retrieves its catalog is the client allowed
to fetch resources that may not be defined in its catalog?

For example if someone is crafty and has compromised a client can they
retrieve a file from the file server that was not in their catalog?  Or
can this only be secured this only handled by the file server IP acls
(if you really call that secure)?

It seems like auth.conf (http://docs.puppetlabs.com/guides/security.html
and the default auth.conf file) would be what I am looking for however
the only way I can think of tailoring this would be to only allow a node
that is in a specific class to have access to a certain set of resources.

Thanks,
derek


-- 
---
Derek T. Yarnell
University of Maryland
Institute for Advanced Computer Studies

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Dec 22, 2010, at 5:18 PM, Derek Yarnell wrote:
> So I was asked a bit about implications of distributing something
> sensitive through puppet.  After a client talks to the puppet server
> (giving its local facts) and retrieves its catalog is the client allowed
> to fetch resources that may not be defined in its catalog?
> 
> For example if someone is crafty and has compromised a client can they
> retrieve a file from the file server that was not in their catalog?  Or
> can this only be secured this only handled by the file server IP acls
> (if you really call that secure)?

Just to confirm that.  Any client with a valid certificate can get any file in
any "files" directory unless you make changes.  Templates are
different because the templates are put into the catalog, so a client can only
use templates you use in the catalog.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 12/22/10 8:38 PM, Patrick wrote:
> 
> On Dec 22, 2010, at 5:18 PM, Derek Yarnell wrote:
> 
>> So I was asked a bit about implications of distributing something
>> sensitive through puppet.  After a client talks to the puppet server
>> (giving its local facts) and retrieves its catalog is the client
allowed
>> to fetch resources that may not be defined in its catalog?
>>
>> For example if someone is crafty and has compromised a client can they
>> retrieve a file from the file server that was not in their catalog?  Or
>> can this only be secured this only handled by the file server IP acls
>> (if you really call that secure)?
> 
> 
> Just to confirm that.  Any client with a valid certificate can get any file
in any "files" directory unless you make changes.  Templates are
different because the templates are put into the catalog, so a client can only
use templates you use in the catalog.
> 
Ok so is the only way to secure the files is via IP/hostname or am I
missing something in the auth.conf?

Thanks,
derek

-- 
---
Derek T. Yarnell
University of Maryland
Institute for Advanced Computer Studies

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Dec 22, 2010, at 7:35 PM, Derek Yarnell wrote:
> On 12/22/10 8:38 PM, Patrick wrote:
>> 
>> On Dec 22, 2010, at 5:18 PM, Derek Yarnell wrote:
>> 
>>> So I was asked a bit about implications of distributing something
>>> sensitive through puppet.  After a client talks to the puppet
server
>>> (giving its local facts) and retrieves its catalog is the client
allowed
>>> to fetch resources that may not be defined in its catalog?
>>> 
>>> For example if someone is crafty and has compromised a client can
they
>>> retrieve a file from the file server that was not in their catalog?
Or
>>> can this only be secured this only handled by the file server IP
acls
>>> (if you really call that secure)?
>> 
>> 
>> Just to confirm that.  Any client with a valid certificate can get any
file in any "files" directory unless you make changes.  Templates are
different because the templates are put into the catalog, so a client can only
use templates you use in the catalog.
>> 
> 
> Ok so is the only way to secure the files is via IP/hostname or am I
> missing something in the auth.conf?

I think you can use wildcards in your hostnames which might help.

I know of two other indirect ways to secure files.

1) Use "source" and the file() function to embed the files in the
catalog instead of putting them in a "files" folder.  Templates do the
same thing.

2) Tinker with /etc/puppet/fileserver.conf to add private mounts like this:

Add this to fileserver.conf:
[private]
	path /etc/puppet/private/%d/%h
	allow *

Now, when I client with a certificate name of server.example.com asks for
puppet:///private/ it will get /etc/puppet/private/example.com/server/

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.