dir perm on /var/cfengine keeps getting reset to 755
From:
stucky
Subject:
dir perm on /var/cfengine keeps getting reset to 755
Date:
Fri, 17 Mar 2006 10:52:09 -0800
I had sent this before but maybe I was a little fast cause my list enrollment confirmation hadn't come in yet.
Now I'm thinking the stuff got lost so I'm sending it again.
Sorry if it shows up twice.
guys
First of all - contrats on a fabulous product !! I love it and embrace it !!
Of course, there are little things here and there I don't quite get yet and here is one of them:
I have a bunch of files: directives to make sure permissions are ok f.e.
YES i have inform set to true cause those perms shouldn't change and i wanna know if they do.
Because of that inform flag I receive an email every hour that the permission of that dir was changed from 755 to 700.
I was amazed first how this can happen till I realized that it's cfagent itself that changes the perm back to 755
during the update.conf phase and immediately back to 700 during the cfagent phase. Question is why ?
1. Permissions are fine:
[root@cfengine stucky]# ls -l /var/
total 160
drwxr-xr-x 2 root root 4096 Jul 8 2005 account
drwxr-xr-x 6 root root 4096 Dec 7 18:58 cache
drwx------ 9 root root 4096 Mar 15 23:39 cfengine
2. I run JUST the update phase of cfagent and the perm get set to 755:
[root@cfengine stucky]# /var/cfengine/bin/cfagent -If /var/cfengine/inputs/update.conf
[root@cfengine stucky]# ls -l /var/
total 160
drwxr-xr-x 2 root root 4096 Jul 8 2005 account
drwxr-xr-x 6 root root 4096 Dec 7 18:58 cache
drwxr-xr-x 9 root root 4096 Mar 15 23:39 cfengine
3. Of course cfagent now has to fix that again:
[root@cfengine stucky]# /var/cfengine/bin/cfagent -I --no-lock --no-splay
cfengine:cfengine: 5 processes matched sshd (should be <=4)
cfengine:cfengine: Object /var/cfengine had permission 755, changed it to 700
cfengine:cfengine: Update of image /etc/profile from master /usr/local/cfengine/masterfiles/configs/generic/profile on x.x.x.x
cfengine:cfengine: Object /etc/profile had permission 600, changed it to 644
cfengine:cfengine: Update of image /etc/hosts from master /usr/local/cfengine/masterfiles/configs/generic/hosts on x.x.x.x
cfengine:cfengine: Object /etc/hosts had permission 600, changed it to 644
As you can see this also happens with a bunch of other files like f.e /etc/hosts. I made sure this file gets copied from
the master with the right permissions:
I have no idea where the 600 permission comes from for /etc/hosts or 755 for /var/cfengine or any of the others. Funny enough,
some perms just stay the way they were set and I can't figure out how they differ from the others.
I don't see anything in update.conf that sets permissions on /var/cfengine or anything.
I tried running /var/cfengine/bin/cfagent -d2 but poking
through the massive output of that I couldn't find anything that sets
the directry permission on /var/cfengine. I can see plenty of permissions on the binaries that need to be copied to the clients.
Also nothing about /etc/hosts in there.
Yet it appears that this update.conf changes a bunch of permissions that cfagent then has to fix again.
I could just turn off the inform flag but this is really bugging me. Is is one of those things where I totally didn't grasp
the concept of cfengine and I'm using it the wrong way ? I wouldnt' think so since it has been working very well for me
otherwise and I really appreciate it as a tool. Can anyone give me a hint ?
Thx