I really think this is a bug. Here's the output from "cfservd -d2" for two different files in the source tree. The first (check_dns) is a regular file and the second (check_udp2) is a symlink to a regular file in the same directory. On the source machine /u is a symlink to /devu.
Received: [SYNCH 1135957075 STAT /u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns] on socket 7 AccessControl(/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns) AccessControl(/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,hognose.arcsystems.com) encrypt request=1 Examining rule in access list (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/var/cfengine/ppkeys/localhost.pub)? Examining rule in access list (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/u1/cfengine)? Examining rule in access list (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/cfengine)? Examining rule in access list (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/etc/init.d)? Examining rule in access list (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/opt)? Examining rule in access list (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/usr/local)? Examining rule in access list (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/etc)? Examining rule in access list (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/devu/deploy)? Found a matching rule in access list (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/devu/deploy) Received: [SYNCH 1135957075 STAT /u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2] on socket 7 AccessControl(/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2) AccessControl(/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,hognose.arcsystems.com) encrypt request=1 Examining rule in access list (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/var/cfengine/ppkeys/localhost.pub)? Examining rule in access list (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/u1/cfengine)? Examining rule in access list (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/cfengine)? Examining rule in access list (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/etc/init.d)? Examining rule in access list (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/opt)? Examining rule in access list (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/usr/local)? Examining rule in access list (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/etc)? Examining rule in access list (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/devu/deploy)? cfservd: Host hognose.arcsystems.com denied access to /u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2 The symlink is treated differently by the access control logic. On Thu, 2005-12-29 at 16:16 -0600, Mark Burgess wrote: > > As I understand it, you can copy file objects of any kind from a real > directory, without symlinks in the path, if there is a granted path > that > does not rely on the use of symlinks. Cfservd expands out the > symlinks > to check where the file actually points to. > > M > > On Thu, 2005-12-29 at 16:09 -0600, Bill Gunter wrote: > > Hmmm. I understand that you have to use the actual directory and not > a > > symlink in the "admit" directive of cfservd.conf, but that's not > the > > problem here. To work around the problem I changed the copy > directive, > > not the admit directive. Are you saying that you can't copy > symlinks > > from a symlinked directory? > > > > On Thu, 2005-12-29 at 16:03 -0600, Mark Burgess wrote: > > > > > > That is a documented security feature, not a bug. > > > M > > > > > > On Thu, 2005-12-29 at 14:06 -0600, Bill Gunter wrote: > > > > Okay, found the problem with the symlinks. Apparently the > access > > > control > > > > is getting confused. I've allowed access with > > > > > > > > admit: > > > > cfengine_server:: > > > > /directory *.domain.com > > > > > > > > But the copy directive says > > > > > > > > class:: > > > > /symlink_to_directory > > > > > > > > This works with regular files contained in /directory but not > with > > > > symlinks to files in the same directory. I changed the copy > > > directive to > > > > use the actual directory and not the symlink to it and it works > > > fine. > > > > This seems like a bug to me. > > > > > > > > > > > > On Thu, 2005-12-29 at 13:03 -0600, Mark Burgess wrote: > > > > > > > > > > Look at the output of cfservd -d2 to see why this is > happening. > > > If > > > > > you > > > > > are traversing links, that is not honoured by access control. > > > This > > > > > has > > > > > always been true > > > > > M > > > > > > > > > > On Thu, 2005-12-29 at 12:46 -0600, Bill Gunter wrote: > > > > > > v2.1.18 of cfservd (still v2.1.15 of cfagent) gives > slightly > > > > > different > > > > > > errors, but the same results. It says "Unspecified refusal > by > > > > > server" > > > > > > instead of "Host authorization/authentication failed or > access > > > > > denied" > > > > > > > > > > > > On Thu, 2005-12-29 at 12:21 -0600, Mark Burgess wrote: > > > > > > > > > > > > > > What does 2.1.18 do? > > > > > > > > > > > > > > On Thu, 2005-12-29 at 11:43 -0600, Bill Gunter wrote: > > > > > > > > I've configured a copy directive and the symlinks that > exist > > > in > > > > > the > > > > > > > > directory being copied are not being copied, but all > the > > > > > regular > > > > > > > files > > > > > > > > in the directory are being copied. > > > > > > > > > > > > > > > > cfservd is throwing this error for each symlink: > > > > > > > > > > > > > > > > Dec 29 11:34:58 HOST cfservd[12692]: [ID 823470 > > > daemon.error] > > > > > Host > > > > > > > > REMOTE denied access to /directory/symlink > > > > > > > > Dec 29 11:34:58 HOST cfservd[12692]: [ID 702911 > > > daemon.notice] > > > > > Host > > > > > > > > authorization/authentication failed or access denied > > > > > > > > Dec 29 11:34:58 HOST cfservd[12692]: [ID 702911 > > > daemon.notice] > > > > > From > > > > > > > > (host=REMOTE,user=root,ip=::ffff:111.111.111.111) > > > > > > > > Dec 29 11:34:58 HOST cfservd[12692]: [ID 823470 > > > daemon.error] > > > > > ID > > > > > > > from > > > > > > > > connecting host: (SYNCH 1135877698 > > > STAT /directory/symlink) > > > > > > > > > > > > > > > > Here's the directive. > > > > > > > > > > > > > > > > class:: > > > > > > > > /directory > > > > > > > > server=$(server) > > > > > > > > dest=/remote_directory > > > > > > > > owner=root > > > > > > > > backup=false > > > > > > > > recurse=inf > > > > > > > > timestamps=keep > > > > > > > > > > > > > > > > I'm using v.2.1.15. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- Bill Gunter Assistant Director of Information Systems ARC Systems P: 512.358.5377 F: 512.892.5552 <www.arcsystems.com> _______________________________________________ Help-cfengine mailing list Help-cfengine@gnu.org http://lists.gnu.org/mailman/listinfo/help-cfengine
