I also experienced the same problem. The correct workaround seems to be this:
The symlink /var/lib/cfengine3/inputs has to be a real directory. E.g., cd /var/lib/cfengine3 mv inputs inputs.old mkdir inputs cp /usr/share/doc/cfengine3/examples/* /var/lib/cfengine3/inputs * be careful to set the directory permission to of "inputs". Usually, root-owned and not world writable should be OK. env LANG=C ls -l /var/lib/cfengine3 total 180 lrwxrwxrwx 1 root root 9 Apr 13 06:45 bin -> /usr/sbin -rw------- 1 root root 16384 May 17 15:51 cf_classes.db drwxr-xr-x 2 root root 4096 May 16 12:20 inputs lrwxrwxrwx 1 root root 14 Apr 13 06:45 inputs.old -> /etc/cfengine3 drwxr-xr-x 2 root root 4096 May 16 12:15 lastseen drwxr-xr-x 2 root root 4096 May 16 12:18 masterfiles drwx------ 2 root root 4096 May 16 12:15 modules drwxr-xr-x 2 root root 4096 May 17 15:51 outputs -rw------- 1 root root 8192 May 17 15:50 performance.db drwx------ 2 root root 4096 May 16 12:15 ppkeys -rw------- 1 root root 116528 May 17 15:51 promise_summary.log -rw-r--r-- 1 root root 1024 May 16 12:15 randseed drwxr-xr-x 2 root root 4096 May 16 12:15 reports drwxr-xr-x 2 root root 4096 May 17 15:52 state This wastes /etc/cfengine3. The files under it are not used at all. The cause: Obviously, the link /var/lib/cfengine3/inputs was created as a handy manner to refer to /etc/cfengine3/. But cfengine3 seems to have a rather peculiar security concern of using a symlink to refer to the directory where configuration files are stored. Such a caution is not unexpected for a security-conscious program. (Still I am a little surprised here since sendmail v8 used to allow the reference to user-defined programs that are invoked during sendmail run through a symlink under a protected diretory. cfengine3 seems to take a more serious attitude re symlinks. That is, this symlink is BELOW a root-owned world-non-writable directory, and is safe IMHO. But cfengine probably was never intended to refer to configuration files through a symlink anyway.) >From /usr/share/doc/cfengine3/README.cfengine3 --- quote begins --- *) cfengine3 is FHS, that means that, unlike the original, we log in /var/log, the binaries are located in /usr/sbin and the inputs files are in /etc/cfengine3; for upstream compatibility we have two symlinks: /etc/cfengine3 -> /var/lib/cfengine3/inputs /usr/sbin -> /var/lib/cfengine3/bin --- end quote So the choice of FHS file layout is something to blame until cfengine3 source file is fixed to allow for *THIS* particular setup (and NOT others for obvious security reasons). Oh wait. I just tried to install cfengine3 yesterday, and have not tested the invocation of various commands through cron entries. I wonder if /var/lib/cfengine3/bin is suffering from the same problem ??? At least the crontab entries installed by cfengine3 seems to be invoked every 5 minutes without major ill-effects: but I have yet to configure cfengine3 to copy various files from the master repository, etc. and so the relevant commands may not have been invoked really. Hope this helps. CI -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
