On Tuesday, August 27, 2013 1:47:02 PM UTC-5, Martin Langhoff wrote: > > On Tue, Aug 27, 2013 at 2:41 PM, jcbollinger > <[email protected]<javascript:>> > wrote: > > The client can provide a $::hostname fact that is different from the > > certname it presents, but that is perfectly valid and expected under > some > > circumstances. It is possible that a client doing so is thereby able to > > exploit weaknesses in (user-provided) manifest files required anyway for > its > > catalog, thereby extracting information to which it is not intended to > have > > access, but that is possible to some degree or another with any fact. > It > > does not constitute a flaw in Puppet itself, but rather in the manifests > in > > question. > > That's roughly what I recall. > > So, in less words: from a security perspective, do not count on Puppet > only serving the right config for the host. It is a very flimsy > security boundary. > >
If the objective is to render it into a small number of words, then I think a fairer characterization would be: Puppet securely identifies clients and provides that information, but it cannot not prevent ENCs and manifests from relying on falsifiable information. That's not any different from most other security-sensitive information services, such as an https web application running on Apache. Apache can be made to identify me via my own certificate and to provide that identity to the webapp, but if the application ignores my securely-established identity when making decisions about what information to serve up to me then I may be able to trick it out of information I'm not supposed to have. Puppet makes client certnames available implicitly in node blocks and explicitly everywhere (via a fact), so a Puppet site (master + ENC / manifests / data + agents) can be secured reasonably well. It is misleading to complain that the master alone cannot provide sufficient security without acknowledging that it's because the master is only one part of the picture. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
