Forum: Cfengine Help Subject: Running cf-serverd as non-root Author: berntjernberg Link to topic: https://cfengine.com/forum/read.php?3,21136,21136#msg-21136
Hi, I don't want the cf-serverd to run as root. It's a file-sharing service and the port is non-privileged so it should be ok run it as a normal user. My policy server is a RHEL 5.4 at the moment but I will have others running Solaris 10 in a near future so I don't want to use SELinux to secure cf-serverd running as root. To manage a SELinux policy is far more work than running the cf-serverd as a non-root and I want a cross platform solution. All nodes managed by Cfengine will have ip-access to the policy-server and I want my solution to be as secure as possible. Masterfiles are moved to /opt and the user running cf-serverd will not be able to update anything. I have tested with several scenarios, one is to copy /var/cfengine to ~/.cfagent another to create links in ~/.cfagent to sub-directories in /var/cfengine. cf-agent and cf-serverd will always try to chown the workdir and permissions like 0750 is not ok so links do not work very well. I can get it to work if I don't run cf-execd on the policy server and start cf-serverd manually after manipulating user and group ownership as well as permissions but it's an impractical solution. cf-execd will run as root so everything else will work as expected. This has nothing to do with cfengine, I always use the least privilege approach to minimize the impact of a security breach. What's your opinion on this matter? _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
