I''m looking at Puppet as a configuration manager solution, and I was wondering.... Why is there a puppet user and group? I realize the obvious answer is that Puppet won''t run w/o it, but I don''t understand why it just wasn''t set up with root access. thanks in advance, george -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/WtXL0ugYO0YJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jerald Sheets
2012-Nov-26 22:41 UTC
Re: [Puppet Users] New to Puppet -- why the puppet user
Because standard systems administration practice is to rarely if ever run anything at all as root. This practice, generally speaking, will not pass ITIL, SOX, HIPAA, or PCI compliance auditing, and if something like Puppet (which has complete run of your system) ran as root, you could easily demolish not only one but thousands of machines with a single keystroke... well, Root is just a bad idea, then.... http://askubuntu.com/questions/16178/why-is-it-bad-to-run-as-root http://cboard.cprogramming.com/tech-board/123049-why-running-programs-root-so-bad.html http://unix.stackexchange.com/questions/52268/why-is-it-a-bad-idea-to-run-as-root A good best practices document on system security and elevated permissions: http://www.sans.org/reading_room/whitepapers/bestprac/system-administrator-security-practices_657 An access control article: http://www.softpanorama.org/Access_control/Accounts/root_account.shtml Another article on best practices (#1 addresses the root user) http://brajeshwar.com/2008/5-best-practices-for-linux-users/ I could go on. I just know that if the Root user could login remotely (or directly) to anything but the console on any of my corporate hosts, I''d fail audit on just about any government-compliance required site. --jms On Nov 26, 2012, at 5:17 PM, george <glwray1960@gmail.com> wrote:> I''m looking at Puppet as a configuration manager solution, and I was wondering.... > Why is there a puppet user and group? > I realize the obvious answer is that Puppet won''t run w/o it, but I don''t understand > why it just wasn''t set up with root access. > > thanks in advance, > george > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/WtXL0ugYO0YJ. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Steven VanDevender
2012-Nov-26 23:41 UTC
Re: [Puppet Users] New to Puppet -- why the puppet user
Jerald Sheets writes: > Because standard systems administration practice is to rarely if ever > run anything at all as root. This practice, generally speaking, will > not pass ITIL, SOX, HIPAA, or PCI compliance auditing, and if > something like Puppet (which has complete run of your system) ran as > root, you could easily demolish not only one but thousands of > machines with a single keystroke... well, Root is just a bad idea, > then.... One gathers you''re not really a practicing sysadmin. What you cite are a bunch of good reasons one should avoid running daemons and applications as root. But you can''t create and manage the mechanisms that are used to avoid running things as root without root access. A sysadmin avoids doing things as root that aren''t necessary, but is otherwise obligated to use root access (carefully) on a constant basis. Puppet runs as root because it should be used to do a lot of the things that have to to be done as root. Proper standards for security should say that root access should be carefully regulated and monitored, not that it must never be allowed for remote access. If used well Puppet should actually improve your security because it can enforce site-wide standards automatically and provide better auditing of changes than haphazard manual practices. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Aaron Grewell
2012-Nov-26 23:45 UTC
Re: [Puppet Users] New to Puppet -- why the puppet user
To answer OP''s question, the Puppet Master runs as user/group puppet. The agent runs as root. On Mon, Nov 26, 2012 at 3:41 PM, Steven VanDevender <stevev@uoregon.edu>wrote:> Jerald Sheets writes: > > Because standard systems administration practice is to rarely if ever > > run anything at all as root. This practice, generally speaking, will > > not pass ITIL, SOX, HIPAA, or PCI compliance auditing, and if > > something like Puppet (which has complete run of your system) ran as > > root, you could easily demolish not only one but thousands of > > machines with a single keystroke... well, Root is just a bad idea, > > then.... > > One gathers you''re not really a practicing sysadmin. What you cite are > a bunch of good reasons one should avoid running daemons and > applications as root. But you can''t create and manage the mechanisms > that are used to avoid running things as root without root access. A > sysadmin avoids doing things as root that aren''t necessary, but is > otherwise obligated to use root access (carefully) on a constant basis. > > Puppet runs as root because it should be used to do a lot of the things > that have to to be done as root. > > Proper standards for security should say that root access should be > carefully regulated and monitored, not that it must never be allowed for > remote access. If used well Puppet should actually improve your > security because it can enforce site-wide standards automatically and > provide better auditing of changes than haphazard manual practices. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Steven VanDevender
2012-Nov-26 23:54 UTC
Re: [Puppet Users] New to Puppet -- why the puppet user
Aaron Grewell writes: > To answer OP''s question, the Puppet Master runs as user/group puppet. The > agent runs as root. Which is, of course, entirely desirable. puppetmaster needs access only to a limited set of files, which it needs only to serve to agents, and hence is best run in a dedicated user/group. The agents, however, need root access to do their jobs. Unfortunately I failed to notice that was a top-posted reply. Sorry. > On Mon, Nov 26, 2012 at 3:41 PM, Steven VanDevender <stevev@uoregon.edu>wrote: > > > Jerald Sheets writes: > > > Because standard systems administration practice is to rarely if ever > > > run anything at all as root. This practice, generally speaking, will > > > not pass ITIL, SOX, HIPAA, or PCI compliance auditing, and if > > > something like Puppet (which has complete run of your system) ran as > > > root, you could easily demolish not only one but thousands of > > > machines with a single keystroke... well, Root is just a bad idea, > > > then.... > > > > One gathers you''re not really a practicing sysadmin. What you cite are > > a bunch of good reasons one should avoid running daemons and > > applications as root. But you can''t create and manage the mechanisms > > that are used to avoid running things as root without root access. A > > sysadmin avoids doing things as root that aren''t necessary, but is > > otherwise obligated to use root access (carefully) on a constant basis. > > > > Puppet runs as root because it should be used to do a lot of the things > > that have to to be done as root. > > > > Proper standards for security should say that root access should be > > carefully regulated and monitored, not that it must never be allowed for > > remote access. If used well Puppet should actually improve your > > security because it can enforce site-wide standards automatically and > > provide better auditing of changes than haphazard manual practices. > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscribe@googlegroups.com. > > For more options, visit this group at > > http://groups.google.com/group/puppet-users?hl=en. > > > > > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
In regard to: Re: [Puppet Users] New to Puppet -- why the puppet user,...:> Because standard systems administration practice is to rarely if ever > run anything at all as root.When it doesn''t require root, that''s absolutely true. This relates to the principle of least privilege. However, the puppet agent that runs on each puppet client requires the ability to make modifications to nearly everything about the client system, all in an effort to enforce the state that the puppet server has indicated that the client should be in. I suppose you could do that using something like "sudo" or Solaris RBAC, but you would end up granting so much access to the puppet agent that you would essentially be running it as root anyway. There''s very little point going through that exercise for an agent that requires unfettered access to the client system. To answer the original question: there''s a puppet user and group for the very few things that do *not* require root: specifically, the puppet master and components like Dashboard. They are, essentially, web applications, and don''t require any special privileges, so the PuppetLabs folks wisely made them run as a non-privileged user (& group). Note that if your puppet master is a client of itself (or some other puppet master) then the puppet agent running there still needs to be run as root. The agent enforces the state, which requires administrative access. The master calculates the state, which doesn''t. Tim -- Tim Mooney Tim.Mooney@ndsu.edu Enterprise Computing & Infrastructure 701-231-1076 (Voice) Room 242-J6, IACC Building 701-231-8541 (Fax) North Dakota State University, Fargo, ND 58105-5164 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Thomas Bendler
2012-Nov-27 15:05 UTC
Re: [Puppet Users] New to Puppet -- why the puppet user
2012/11/27 Steven VanDevender <stevev@uoregon.edu>> [...] > One gathers you''re not really a practicing sysadmin. What you cite are > a bunch of good reasons one should avoid running daemons and > applications as root. But you can''t create and manage the mechanisms > that are used to avoid running things as root without root access.[...] The question is more what actions are done by the daemon. Compiling the catalog, transfer files from a file server, sending reports to a central instance and a lot of stuff more are not necessarily things where the daemon need root privileges, installing packages or replacing configuration files is a different thing. But under normal circumstances it is better to only be root if it is really necessary. So starting as a user and gain more privileges only where needed. Regards, Thomas -- Linux ... enjoy the ride! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
All answers helped a lot. Thanks, George On Tuesday, November 27, 2012 8:06:00 AM UTC-7, thbe wrote:> > 2012/11/27 Steven VanDevender <ste...@uoregon.edu <javascript:>> > >> [...] >> One gathers you''re not really a practicing sysadmin. What you cite are >> a bunch of good reasons one should avoid running daemons and >> applications as root. But you can''t create and manage the mechanisms >> that are used to avoid running things as root without root access. > > [...] > > > The question is more what actions are done by the daemon. Compiling the > catalog, transfer files from a file server, sending reports to a central > instance and a lot of stuff more are not necessarily things where the > daemon need root privileges, installing packages or replacing configuration > files is a different thing. But under normal circumstances it is better to > only be root if it is really necessary. So starting as a user and gain more > privileges only where needed. > > Regards, Thomas > -- > Linux ... enjoy the ride! > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/u-OV4h4YktYJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.