On 12/22/10 8:38 PM, Patrick wrote: > > On Dec 22, 2010, at 5:18 PM, Derek Yarnell wrote: > >> So I was asked a bit about implications of distributing something >> sensitive through puppet. After a client talks to the puppet server >> (giving its local facts) and retrieves its catalog is the client allowed >> to fetch resources that may not be defined in its catalog? >> >> For example if someone is crafty and has compromised a client can they >> retrieve a file from the file server that was not in their catalog? Or >> can this only be secured this only handled by the file server IP acls >> (if you really call that secure)? > > > Just to confirm that. Any client with a valid certificate can get any file > in any "files" directory unless you make changes. Templates are different > because the templates are put into the catalog, so a client can only use > templates you use in the catalog. >
Ok so is the only way to secure the files is via IP/hostname or am I missing something in the auth.conf? Thanks, derek -- --- Derek T. Yarnell University of Maryland Institute for Advanced Computer Studies -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
