Puppet users - May 2011 - Security of Puppet ACLs..

Just a quick question about the Puppet ACL system.. If "hostA" gets a
catalog that says "download puppet:///passwd", I assume that hostA can
always receive puppet:///passwd. However, what about hostB? Can hostB make an
arbitrary call to the puppet master requesting "puppet:///passwd" even
if its not a defined resource for that host?

—Matt

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On May 11, 2011, at 9:59 AM, Matt Wise wrote:
> Can hostB make an arbitrary call to the puppet master requesting
"puppet:///passwd" even if its not a defined resource for that host?
Simply: Yes

Ways to stop this:
1) Include the file in "source" instead which embeds the file in the
catalog.
2) Use ACLs per module to stop that
3) Use a custom mount-point, and either define it''s permissions, or
else use some path munging so only the correct clients can get the file.


Over all, "1" is almost always the easiest.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 05/12/2011 09:44 AM, Patrick wrote:
> 
> On May 11, 2011, at 9:59 AM, Matt Wise wrote:
> 
>> Can hostB make an arbitrary call to the puppet master requesting
>> "puppet:///passwd" even if its not a defined resource for
that host?
> 
> Simply: Yes
> 
> Ways to stop this:
> 1) Include the file in "source" instead which embeds the file in
the
> catalog.
What you meant to write was "content instead of source".
> 2) Use ACLs per module to stop that
> 3) Use a custom mount-point, and either define it''s permissions,
or else
> use some path munging so only the correct clients can get the file.
> 
> 
> Over all, "1" is almost always the easiest.
Yes, but it can bloat the catalog depending on the workload.

I''ve found (2) to be very effective. Puppet generates my auth.conf
including ACLs.

Cheers,
Felix

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

4)

reference the file via the facter ''uniqueid''


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Thats an interesting one for a few points.. how is the uniqueid generated? 

On May 12, 2011, at 6:15 PM, Larry Ludwig wrote:
> 4)
> 
> reference the file via the facter ''uniqueid''
> 
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

It''s from hostid command. How exactly is it generated I really
don''t know
their info page is a bit vague.

------
   For example, here''s what it prints on one system I use:

     $ hostid
     1bac013d

   On that system, the 32-bit quantity happens to be closely related to
the system''s Internet address, but that isn''t always the case.

   An exit status of zero indicates success, and a nonzero value
indicates failure.

-----

You could always generate your own md5 number from your own specifications 
for a custom facter variable.  It won''t be easy for you to reference
the
files though.  Security via obscurity isn''t the best way, but
it''s better
than what''s place now. Puppet assumes all hosts are
''friendly''

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.