[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cfengine 2 migration issues
|
From: |
Ruben van Staveren |
|
Subject: |
Re: cfengine 2 migration issues |
|
Date: |
Thu, 19 Aug 2004 15:44:24 +0200 |
|
User-agent: |
Mutt/1.5.6i |
Hi Mark,
Early 2004 I contacted you about some outstanding issues we had regarding the
migration from cfengine 1.x to cfengine 2.x And I tackled some of them in a
patch attached with this mail.
It does two things:
- Suppress the regcomp warning we see under FreeBSD 4.x
- Replace the compile time WORKDIR with a runtime CFWORKDIR which is set
to $HOME/.cfagent if the user is not privileged. Opening up /var/cfengine
for non privileged users is not desirable at our location and implies the
possibility of race conditions.
Can you please have a look at it and let me know whether it can be included in
a forthcoming cfengine version ?
The patches work in our setup (which is, run cfagent from both a privileged
and non privileged crontab every 5 minutes.)
The patch is against a stock 2.1.9 version.
Kind Regards,
Ruben van Staveren
On Wed, Feb 18, 2004 at 04:41:20PM +0100, Ruben van Staveren wrote:
> Mark
>
> On Thu, Feb 12, 2004 at 07:21:00PM +0100, address@hidden wrote:
> >
> > Ruben - the GNU site is in a mess, so no updates have been posted
> > outside of www.cfengine.org for some time. The latest version is
> > 2.1.3. Recommend that, perhaps it will solve some of the problems.
> > 2.0.6 has a potentially exploitable buffer overflow in cfservd.
> >
> > I believe the regex error was a bug in my grammar that was fixed
> > immediately afterwards.
> >
>
> Unfortunately it is still there, I had tested up and until 2.1.0 or so and
> 2.1.3 also shows that behavior. Code is in src/item-ext.c (CfRegcomp) I
> believe. Apparently, it is feeded an empty string.
>
> Maybe it is a good idea to do a
> if (regex == NULL || *regex == '\0')
> return -1;
>
> Before regcomp() or something like that ?
>
>
> Concerning umask and the LogDirectory directives, these seem to be security
> related, umask is set to 077 in src/parse.c per default and LogDirectory shows
> an error message in src/cfagent.c. The umask directive for shellcommand and
> processes sections seems to work, but is erroneously reported as an illegal
> statement. Also for 2.0.6 which we have currently deployed.
>
> Can you please enlighten me as I don't understand the background of these
> changes regarding the CFE1 way of things ?
> FYI, we don't use cfservd, but start cfagent from cron every 5 minutes, one
> for the system wide root user, and one for the role account to monitor the
> project software.
>
> Is cfengine still meant to be used by non priviledged users or "must"
> everything go through cfservd...
>
> - Ruben
>
> > M
> >
> > On 12 Feb, Ruben van Staveren wrote:
> > > Hello all,
> > >
> > > At RIPE NCC we have deployed a network of 60 so called Test Traffic
> > > Measurement boxes (http://www.ripe.net/ttm/) and are currently in the
> > > progress
> > > of upgrading our network from cfengine 1 to cfengine 2. We have
> > > encountered a
> > > few peculiarities which weren't there in the previous versions.
> > >
> > > cfengine 2 is now installed on our FreeBSD 4.x based Test Traffic
> > > Measurement
> > > Testboxes, with the following remarks:
> > >
> > > - We are using version 2.0.6 instead of the latest version available
> > > because
> > > the grammar in the .l and the .y files changed in 2.0.7, causing
> > > harmless
> > > but noisy error messages to appear when using a SetOptionString
> > >
> > > address@hidden:102] /tmp/cfe2/cfengine-2.0.7/src/cfagent -n -DCRON -f
> > > /home/ttraffic/config/cfengine.conf
> > > cfengine:tt97: Regular expression error 14 for
> > > cfengine:tt97: empty (sub)expression
> > >
> > > It could be that the BSD implementation of the regular expression
> > > library is
> > > more strict and this error is not triggered on other platforms.
> > >
> > > - Separate binaries for root and a non privileged maintenance account have
> > > been installed, this is due to the fact the cfengine status directory
> > > (LogDirectory) is not run time adjustable anymore. See
> > > http://mail.nongnu.org/archive/html/bug-cfengine/2003-11/msg00018.html
> > > what was wrong with the cfengine 1 way of doing things ?
> > > We use a setup where cfengine is run from cron, and not from the
> > > cfengine
> > > daemon.
> > >
> > > - There seems to be a problem with the umask setting, we have to readjust
> > > permissions on files generated from programs under cfengine 2 control
> > > which
> > > was not needed in cfengine 1
> > >
> > >
> > > Kind Regards,
> > > Ruben van Staveren
> > >
> >
> >
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Work: +47 22453272 Email: address@hidden
> > Fax : +47 22453205 WWW : http://www.iu.hio.no/~mark
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
--
Ruben van Staveren RIPE Network Coordination Centre
New Projects Group/TTM Singel 258 Amsterdam NL
http://www.ripe.net +31 20 535 4444
cfengine-2.1.9-ripe-ncc.patch
Description: Text document
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: cfengine 2 migration issues,
Ruben van Staveren <=