[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security of CFINPUTS
From: |
Mark . Burgess |
Subject: |
Re: Security of CFINPUTS |
Date: |
Tue, 15 May 2001 17:30:14 +0200 (MET DST) |
On 15 May, Robert Shaw wrote:
> On Tue, May 15, 2001 at 10:35:58AM +0200, Mark Burgess wrote:
>>
>> I am planning to make a change in cfengine 2 whereby, if CFINPUTS
>> is not set, cfengine will look for input files in /var/cfengine/inputs.
>> (/var/run/cfengine is deprecated, since some OSes clear /var/run
>> on reboot)
>>
>> Since cfengine checks the permissions and ownership of files before
>> accepting (and will additionally authenticate them cryptographically in
>> future), this seems like a reasonable feature, which could simplify
>> setup.
>>
>> Does anyone have any arguments against this?
>
> FYI, we use /etc/cfengine/inputs for our default. Isn't that what cfengine
> uses by default anyway currently?
>
> -Robert
Yes, but I'm thinking of collecting everything into one place.
It's not the name of the directory that's important, but whether
automatically looking for files in a possibly untrusted location
might be dangerous somehow. Cfengine attempts to secure the
area before using anything, but is there something I have not
considered?
M
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272 Email: address@hidden
Fax : +47 22453205 WWW : http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~