On Jun 15, 1:43 pm, Alexander Fortin <[email protected]>
wrote:
> I've got a doubt and I wasn't able to find documentation about, so I
> thought it was time to try out this ML too: I'd like to manage sensitive
> data like PEM certs (to manage openvpn services for instance) and I'm
> puzzled by this doubt: is it possible for a client to "steal"
> information from the master? I mean, can mynode see
> modules/mymodule/files/mysecretfile even if the node 'mynode' is not
> including that module?
Yes, I believe you can if you know how, unless it's changed very
recently. It was discussed a while ago, and if I remember correctly,
all you need is a valid Puppet certificate to access any "Files" (ie:
puppet:///modules/$module_name/foo/bar) in any module, regardless of
if the class is included on a node or not.
If you're afraid of that, you could pass your private key file content
across the wire using 'content' instead of 'source':
file { "/etc/pki/woof.pem":
content => generate( [ "/bin/cat", "/etc/puppet/private/
woof.pem" ] ),
}
Check the correct format for generate(). That's a terrible idea if the
catalog gets written to disk anywhere. Can someone confirm?
> --
> Alexander Fortinhttp://about.me/alexanderfortin/
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
