What permissions should these folders have?

[Michael Altfield]

Hi,

Is there is an official Puppet stance on what the permissions of these files/directories should be on the Puppet Master? I'm looking for the minimum necessary permissions (ie: the most secure):

1. /etc/puppet/manifests
2. /usr/share/puppet
3. /usr/lib/ruby/gems/1.8/specifications/*.gemspec
4. /usr/lib/ruby/gems/1.8/gems/passenger-X.Y.Z

In order to get my puppet master (v2.7.14) to run under apache (v2.2.15) using passenger (v3.0.12) on Cent OS (v6.2), I had to do the following:

chown puppet /etc/puppet/manifests

chmod -R 755 /usr/share/puppet
chmod 755 /usr/lib/ruby/gems/1.8/specifications/*.gemspec
chown -R puppet /usr/lib/ruby/gems/1.8/gems/passenger-3.0.12

Do any of the above changes yield a security risk I should be aware of?

Thanks in advance :)

[jcbollinger]

On Jun 8, 7:43 pm, Michael Altfield

<michael.altfield.data...@gmail.com> wrote:
> Hi,
>
> Is there is an official Puppet stance on what the permissions of these
> files/directories should be on the Puppet Master?

I've never seen one, but maybe the Enterprise group has unpublished
recommendations. It probably depends to some extent on exactly what
software stack you are running. PE maybe different than the open-
source edition, passenger may have more needs than webrick, etc..

> I'm looking for the
> minimum necessary permissions (ie: the most secure):
>

>    1. /etc/puppet/manifests


The puppet master process needs to read and traverse those
directories. Nobody needs to write there during normal operations,
but obviously write permission is required to update your manifests.
Supposing, then, that the Puppet master runs as user 'puppet', I'd say
the most secure configuration feasible is for the whole tree to be
owned by user 'puppet', group 0, with permissions 400 for files and
500 for directories. The same for all directories in your module
path.


>    2. /usr/share/puppet
>    3. /usr/lib/ruby/gems/1.8/specifications/*.gemspec
>    4. /usr/lib/ruby/gems/1.8/gems/passenger-X.Y.Z


I'm not sure about the gem directories. I don't use gems, and I don't
even particularly like them. I prefer to stick to just one packaging
system per machine.

> In order to get my puppet master (v2.7.14) to run under apache (v2.2.15)
> using passenger (v3.0.12) on Cent OS (v6.2), I had to do the following:
>
> chown puppet /etc/puppet/manifests
> chmod -R 755 /usr/share/puppet
> chmod 755 /usr/lib/ruby/gems/1.8/specifications/*.gemspec
> chown -R puppet /usr/lib/ruby/gems/1.8/gems/passenger-3.0.12
>
> Do any of the above changes yield a security risk I should be aware of?

Your puppetmaster is unlikely to require any of those directories to
allow any "world" access permissions. If you know which users need
access (and you should), then at worst you should be able to grant the
access they need via "group" permissions, even if you have to create a
supplementary group for that purpose (i.e. 750). Granting *any*
unneeded access increases your security risk to some degree.

Also, you should not grant execute permission to non-executable
regular files, which is most, perhaps all of the contents of the
directories you listed. Therefore, I would follow up the above with,
for example,

find /usr/share/puppet -not -type d -exec chmod ugo-x {} \;

Similar for the passenger directory, though there may be one or two
files in there that need to be executable.


John

[Michael Altfield]

Thanks John,

Do you have any recommendations on /var/lib/puppet?

Cheers,

Michael

[jcbollinger]

On Tuesday, June 26, 2012 9:22:25 PM UTC-5, Michael Altfield wrote:

Do you have any recommendations on /var/lib/puppet?

The functional requirements for this directory on the master are similar to the requirements for /etc/puppet/manifests, but the master may need to write here.  On clients, the agent needs to write there, but it normally runs with root privilege.  Probably puppet:root, 700 / 600 is the best you can do with ownership and standard file permissions for this directory on the master. 


John