Forum: CFEngine Help Subject: Re: Ownership issue with output files Author: n...@cmdln.org Link to topic: https://cfengine.com/forum/read.php?3,24996,25001#msg-25001
Hello, Looking at your manage_users bundle you are not classing your create_ssh_dir on anything. So that bundle gets executed all the time. If we dig down into create_ssh_dir you are setting the create_dir class if the user exists, so that will get set as long as the user exists so your commands promises will delete the authorized_keys file and the id_rsa file at each execution interval which by default would be 5 minutes. I am not sure on the file permission differences but it seems like a umask issue, and since you are re-creating the files at each pass perhaps its never getting the chance to correct the permissions. I am not sure on that part. I do have a couple of other comments though ... You probably want to limit some of your actions based on classes, do you really want to re-create the authorized_keys file and id_rsa file each time? It's kind of interesting that your using reports functionality to populate your authorized keys file, I don't think that's what it was intended for. You might have better luck using edit_lines in your files promise with edit_defaults set to empty since you appear to want to completely enforce the content. I also notice that you are distributing the private key, you may have a good reason to do this but generally speaking you don't want private keys to be in very many places, usually people like to have them in just 2 places, the system its installed on, and a backup in a safe. Its just something to consider, also depending on how you are distributing your policy. If you are copying all of your master-files to each host, then each host has a copy of the private key in the policy in addition to any place where you are installing the key. _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
