Ah - ok, I see. Well, the expansion is preformed by the posix realpath function which is supposed to deliver the correct patrh without symbolic links. What I see now is that, if the final node (not the path) in a link, then the realpath is not computed. So you are right, this is not consistent and I'm not sure why I did that. I'll think about it some more to decide whether I was smarter or dummer than I am now.
M On Sun, 2006-01-01 at 12:52 -0600, Bill Gunter wrote: > I understand all that. I guess I'm not making myself clear. I'll try again. > In the example the regular file (check_dns) path is expanded to have /devu > as the root. This is correct behavior. However, the symlink file (check_udp2) > path is expanded differently to have /u as the root. /u is a symlink to > /devu. Why does the path expand to a symlink? > -------------------------- > Sent from my BlackBerry Wireless Handheld > > > -----Original Message----- > From: Mark Burgess > To: Bill Gunter > CC: help-cfengine@gnu.org > Sent: Sun Jan 01 12:47:59 2006 > Subject: Re: problems copying symlinks > > > Right, cfengine does not honour symbolic links, because a completely > unauthorized person might have added that symbolic link, and then > suddenly the server would be serving up files that were meant to be > private. Those are the rules of cfengine's security model. "It's for > your own protection!" :) It's not a bug. > > On Sun, 2006-01-01 at 12:43 -0600, Bill Gunter wrote: > > Precisely. The symlink is treated differently from the regular file when > > the full path is determined. The regular file has /devu as the root while > > the symlink has /u. I can work around by putting both /devu and /u in the > > Allow directive, but why is this necessary? /u is a symlink to /devu. > > -------------------------- > > Sent from my BlackBerry Wireless Handheld > > > > > > -----Original Message----- > > From: Mark Burgess > > To: Bill Gunter > > CC: help-cfengine@gnu.org > > Sent: Sun Jan 01 12:37:25 2006 > > Subject: Re: problems copying symlinks > > > > There is a flaw in your example > > > > On Fri, 2005-12-30 at 09:46 -0600, Bill Gunter wrote: > > > I really think this is a bug. Here's the output from "cfservd -d2" for > > > two different files in the source tree. The first (check_dns) is a > > > regular file and the second (check_udp2) is a symlink to a regular file > > > in the same directory. On the source machine /u is a symlink to /devu. > > > > > > Received: [SYNCH 1135957075 STAT > > > /u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns] on socket 7 > > > AccessControl(/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns) > > > AccessControl(/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,hognose.arcsystems.com) > > > encrypt request=1 > > > Examining rule in access list > > > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/var/cfengine/ppkeys/localhost.pub)? > > > Examining rule in access list > > > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/u1/cfengine)? > > > Examining rule in access list > > > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/cfengine)? > > > Examining rule in access list > > > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/etc/init.d)? > > > Examining rule in access list > > > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/opt)? > > > Examining rule in access list > > > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/usr/local)? > > > Examining rule in access list > > > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/etc)? > > > Examining rule in access list > > > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/devu/deploy)? > > > Found a matching rule in access list > > > (/devu/deploy/sunos_sun4u/usr/local/nagios/libexec/check_dns,/devu/deploy) > > > > This matches your final entry > > > > > > > > Received: [SYNCH 1135957075 STAT > > > /u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2] on socket 7 > > > AccessControl(/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2) > > > AccessControl(/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,hognose.arcsystems.com) > > > encrypt request=1 > > > Examining rule in access list > > > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/var/cfengine/ppkeys/localhost.pub)? > > > Examining rule in access list > > > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/u1/cfengine)? > > > Examining rule in access list > > > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/cfengine)? > > > Examining rule in access list > > > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/etc/init.d)? > > > Examining rule in access list > > > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/opt)? > > > Examining rule in access list > > > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/usr/local)? > > > Examining rule in access list > > > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/etc)? > > > Examining rule in access list > > > (/u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2,/devu/deploy)? > > > cfservd: Host hognose.arcsystems.com denied access to > > > /u/deploy/sunos_sun4u/usr/local/nagios/libexec/check_udp2 > > > > This doesn't match your final entry /u != /devu > > > > > > M > > > > > > > > > _______________________________________________ Help-cfengine mailing list Help-cfengine@gnu.org http://lists.gnu.org/mailman/listinfo/help-cfengine
