Re: [Puppet Users] New to Puppet -- why the puppet user
126 views
Skip to first unread message
Jerald Sheets
Nov 26, 2012, 5:41:52 PM11/26/12
to puppet...@googlegroups.com
Because standard systems administration practice is to rarely if ever run anything at all as root. This practice, generally speaking, will not pass ITIL, SOX, HIPAA, or PCI compliance auditing, and if something like Puppet (which has complete run of your system) ran as root, you could easily demolish not only one but thousands of machines with a single keystroke... well, Root is just a bad idea, then....
A good best practices document on system security and elevated permissions:
An access control article:
Another article on best practices (#1 addresses the root user)
I could go on. I just know that if the Root user could login remotely (or directly) to anything but the console on any of my corporate hosts, I'd fail audit on just about any government-compliance required site.
--jms
On Nov 26, 2012, at 5:17 PM, george <glwra...@gmail.com> wrote:
I'm looking at Puppet as a configuration manager solution, and I was wondering....
Why is there a puppet user and group?
I realize the obvious answer is that Puppet won't run w/o it, but I don't understand
why it just wasn't set up with root access.
thanks in advance,
george--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/WtXL0ugYO0YJ.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Steven VanDevender
Nov 26, 2012, 6:41:55 PM11/26/12
to puppet...@googlegroups.com
Jerald Sheets writes:
> Because standard systems administration practice is to rarely if ever
> run anything at all as root. This practice, generally speaking, will
> not pass ITIL, SOX, HIPAA, or PCI compliance auditing, and if
> something like Puppet (which has complete run of your system) ran as
> root, you could easily demolish not only one but thousands of
> machines with a single keystroke... well, Root is just a bad idea,
> then....
One gathers you're not really a practicing sysadmin. What you cite are
> Because standard systems administration practice is to rarely if ever
> run anything at all as root. This practice, generally speaking, will
> not pass ITIL, SOX, HIPAA, or PCI compliance auditing, and if
> something like Puppet (which has complete run of your system) ran as
> root, you could easily demolish not only one but thousands of
> machines with a single keystroke... well, Root is just a bad idea,
> then....
a bunch of good reasons one should avoid running daemons and
applications as root. But you can't create and manage the mechanisms
that are used to avoid running things as root without root access. A
sysadmin avoids doing things as root that aren't necessary, but is
otherwise obligated to use root access (carefully) on a constant basis.
Puppet runs as root because it should be used to do a lot of the things
that have to to be done as root.
Proper standards for security should say that root access should be
carefully regulated and monitored, not that it must never be allowed for
remote access. If used well Puppet should actually improve your
security because it can enforce site-wide standards automatically and
provide better auditing of changes than haphazard manual practices.
Aaron Grewell
Nov 26, 2012, 6:45:18 PM11/26/12
to puppet-users
To answer OP's question, the Puppet Master runs as user/group puppet. The agent runs as root.
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
Steven VanDevender
Nov 26, 2012, 6:54:25 PM11/26/12
to puppet...@googlegroups.com
Aaron Grewell writes:
> To answer OP's question, the Puppet Master runs as user/group puppet. The
> agent runs as root.
Which is, of course, entirely desirable. puppetmaster needs access only
> To answer OP's question, the Puppet Master runs as user/group puppet. The
> agent runs as root.
to a limited set of files, which it needs only to serve to agents, and
hence is best run in a dedicated user/group. The agents, however, need
root access to do their jobs.
Unfortunately I failed to notice that was a top-posted reply. Sorry.
Tim Mooney
Nov 26, 2012, 7:02:11 PM11/26/12
to puppet...@googlegroups.com
In regard to: Re: [Puppet Users] New to Puppet -- why the puppet user,...:
> Because standard systems administration practice is to rarely if ever
> run anything at all as root.
When it doesn't require root, that's absolutely true. This relates to
the principle of least privilege.
However, the puppet agent that runs on each puppet client requires the
ability to make modifications to nearly everything about the client
system, all in an effort to enforce the state that the puppet server
has indicated that the client should be in.
I suppose you could do that using something like "sudo" or Solaris
RBAC, but you would end up granting so much access to the puppet agent
that you would essentially be running it as root anyway. There's
very little point going through that exercise for an agent that requires
unfettered access to the client system.
To answer the original question: there's a puppet user and group for
the very few things that do *not* require root: specifically, the puppet
master and components like Dashboard. They are, essentially, web
applications, and don't require any special privileges, so the PuppetLabs
folks wisely made them run as a non-privileged user (& group).
Note that if your puppet master is a client of itself (or some other
puppet master) then the puppet agent running there still needs to be
run as root. The agent enforces the state, which requires administrative
access. The master calculates the state, which doesn't.
Tim
--
Tim Mooney Tim.M...@ndsu.edu
Enterprise Computing & Infrastructure 701-231-1076 (Voice)
Room 242-J6, IACC Building 701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164
> Because standard systems administration practice is to rarely if ever
> run anything at all as root.
the principle of least privilege.
However, the puppet agent that runs on each puppet client requires the
ability to make modifications to nearly everything about the client
system, all in an effort to enforce the state that the puppet server
has indicated that the client should be in.
I suppose you could do that using something like "sudo" or Solaris
RBAC, but you would end up granting so much access to the puppet agent
that you would essentially be running it as root anyway. There's
very little point going through that exercise for an agent that requires
unfettered access to the client system.
To answer the original question: there's a puppet user and group for
the very few things that do *not* require root: specifically, the puppet
master and components like Dashboard. They are, essentially, web
applications, and don't require any special privileges, so the PuppetLabs
folks wisely made them run as a non-privileged user (& group).
Note that if your puppet master is a client of itself (or some other
puppet master) then the puppet agent running there still needs to be
run as root. The agent enforces the state, which requires administrative
access. The master calculates the state, which doesn't.
Tim
--
Tim Mooney Tim.M...@ndsu.edu
Enterprise Computing & Infrastructure 701-231-1076 (Voice)
Room 242-J6, IACC Building 701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164
Thomas Bendler
Nov 27, 2012, 10:05:33 AM11/27/12
to puppet...@googlegroups.com
One gathers you're not really a practicing sysadmin. What you cite are
a bunch of good reasons one should avoid running daemons and
applications as root. But you can't create and manage the mechanisms
that are used to avoid running things as root without root access.
[...]
The question is more what actions are done by the daemon. Compiling the catalog, transfer files from a file server, sending reports to a central instance and a lot of stuff more are not necessarily things where the daemon need root privileges, installing packages or replacing configuration files is a different thing. But under normal circumstances it is better to only be root if it is really necessary. So starting as a user and gain more privileges only where needed.
Regards, Thomas
--
george
Nov 30, 2012, 6:53:20 PM11/30/12
to puppet...@googlegroups.com
All answers helped a lot.
Thanks,
George
Thanks,
George
Reply all
Reply to author
Forward
0 new messages