Issue #3092 has been updated by Robin Powell.
Markus Roberts wrote: > This would be a significant behaviour change; the present assumption is that > modules and plugins are accessable by default. Then there's some kind of documentation error, or at least confusion. Note that at http://reductivelabs.com/trac/puppet/wiki/FileServingConfiguration it says "The default security configuration is to deny all access, so if no allow lines are specified, the module will be configured but available to no one.". That sounds like "deny all is the default" to me. Furthermore: 1. If I put *anything* in the [modules] section, "deny all" is suddenly the default behaviour; everything I haven't explicitly allowed is denied. This strongly implies that "deny all" is the default state. 2. "allow *" is OK, but "deny *" is a syntax error. This also, very strongly, implies that "deny all" is the default state. The problem is that when the [modules] section is *entirely* empty, the behaviour shifts from "deny all" to "allow all", which is very confusing. If the section *missing* did that, that would be (mildly) less confusing, but having an empty section do that when the documentation makes it clear that "deny all" is the default is very confusing. Even then, I would be fine with it if "deny *" worked; all I was trying to do was test that in the "deny all" state, nothing worked. With the current setup, it is *impossible* to actually put the config into a "deny all" state; the best you can do is allow something insignificant (or impossible, like a non-routable address not on your network). That's icky. -Robin ---------------------------------------- Bug #3092: No entries means no security? http://projects.reductivelabs.com/issues/3092 Author: Robin Powell Status: Needs design decision Priority: Normal Assigned to: Category: Target version: Affected version: 0.25.1 Keywords: Branch: For testing purposes, I had a fileserver.conf with: [modules] [plugins] and nothing else. This gives no security whatsoever; all access is allowed. Since @deny *@, which is what I _wanted_ to put in there, isn't allowed, this was _very_ confusing. I would like to see that situation treated as "deny all", as the docs imply, and I would like @deny *@ to work. -Robin -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://reductivelabs.com/redmine/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
