Re: cfexecd and chmod($input_dir)

[Mark . Burgess]

On  8 Jun, Luke A. Kanies wrote:
> On Tue, 8 Jun 2004 Mark.Burgess@iu.hio.no wrote:
> 
>>
>> As skaar pointed out, you shouldn't be editing the files in
>> the trusted directory directly anyway. They are intended
>> as a copy of a different location. Just implement your
>> desired policy outside of cfengine's domain. The point of
>> the restrictions is to make cfengine easier to install.
> 
> This little "feature" quite annoys me because it makes it far more 
> difficult to look at my local configuration when I'm debugging things.  I 
> use sudo for everything, and I never ever open up a root shell.  This 
> means that root-owned directories that are 700 really mess me up, 
> especially if it's the parent directory of a larger structure.
> 
> For instance, tab-completion (which I use almost every command in bash) 
> doesn't work any more -- I have to write out the complete filename to view 
> a file.  This is immediately annoying, but gets more annoying as the paths 
> get longer, e.g., /var/cfengine/inputs/packages/openssh.cf.
> 
> I generate quite a few files, and they all go in /var/cfengine/inputs.  I 
> never (well, not never, but not for a long time) edit those files, but I 
> look at them constantly.  Even for files that are copied from a remote 
> system, I find it extremely useful to be able to easily look at them, even 
> if just to verify that the latest file has been downloaded.
> 
> I have yet to work with an organization that _hasn't_ tried to get the 
> inputs directory to be less restrictive than 700, and they've all had to 
> give up.  I agree with skaar and the others that this is a decision that 
> should be completely left up to the admin, not the tool.  I want to be 
> able to define security on my network.
> 
> Luke
> 

Nothing here makes the case for changing the policy. As a developer
it is my responsibility to make the program easy and safe to use
for everyone, not just experts. You can do all this in your CVS
repository area and use update.conf (as intended) to update from
that region. You can use whatever security policy you want there.

This was a conscious simplification in version 2 because version 1
of cfengine was regarded as being too difficult to get started with
and too reliant on what users did to make it "safe and secure".
/var/cfengine is regarded as private workspace for cfengine, not
for user convenience.

Perhaps this could be better explained in the manual.

M

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272            Email:  Mark.Burgess@iu.hio.no
Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~