MCollective and non-root execution
18 views
Skip to first unread message
Geoffrey Gardella
Jun 21, 2016, 4:06:27 PM6/21/16
to Puppet Developers
Hi All,
working on our port of MCollective into Solaris. I wanted to confirm that we rely on the permissions of server.cfg and client.cfg being 600 to keep non-root users from executing commands with MCollective. That is, if those files are say, 644, then any user on the system can run any MCollective command. Are other (role-based restrictions) there in the Linux world. Trying to find docs, but coming up empty.
Thanks,
Geoffrey
working on our port of MCollective into Solaris. I wanted to confirm that we rely on the permissions of server.cfg and client.cfg being 600 to keep non-root users from executing commands with MCollective. That is, if those files are say, 644, then any user on the system can run any MCollective command. Are other (role-based restrictions) there in the Linux world. Trying to find docs, but coming up empty.
Thanks,
Geoffrey
Shawn Ferry
Jun 21, 2016, 4:20:42 PM6/21/16
to puppe...@googlegroups.com
Did you see the recent spate of mcollective bugs that were just filed?
On of them does talk a about file perms iirc
Shawn
--
You received this message because you are subscribed to the Google Groups "Puppet Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-dev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/6286c707-c1cb-4741-a49b-5e5b2b6400d9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Shawn Ferry
Jun 21, 2016, 4:22:49 PM6/21/16
to puppe...@googlegroups.com
And for everyone who is wondering what bugs; I'm unintentionally cross posting so that's really just for Geoffery
Michael Smith
Jun 21, 2016, 5:25:57 PM6/21/16
to puppe...@googlegroups.com
There is a section of PE docs that talks about MCollective security as setup by PE (https://docs.puppet.com/pe/latest/orchestration_overview.html#security), as well as points to security notes in the OSS MCollective docs.
In short, having the contents of the config files is sufficient to connect to ActiveMQ, but when using the SSL-based security module requests should only be honored by the end-points (MCollective servers) when they also have certificates for the sender in a configured location.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/2CB40F73-2E41-49E5-8C60-6941AD35B3F4%40oracle.com.
Geoffrey Gardella
Jun 21, 2016, 5:42:41 PM6/21/16
to puppe...@googlegroups.com
Thanks Michael!
I understand the inter-node security. I'm trying to answer our internal security folks about how execution of mco commands is restricted on a (authorized) node to root or authorized users. It appeared to me that this was accomplished by having the config files be 600.--
You received this message because you are subscribed to a topic in the Google Groups "Puppet Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-dev/7Jrr0fG8wWY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to puppet-dev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/CABy1mMK%3D8ySB_HFsoVbXykgyymm4KkqjoPuQ4Qv%3DpBe9HyxkJw%40mail.gmail.com.
Michael Smith
Jun 21, 2016, 5:57:35 PM6/21/16
to puppe...@googlegroups.com
Also by ensuring the client private key has similar permissions. plugin.ssl_client_private in client.cfg if 'securityprovider = ssl' is set. Possibly also plugin.activemq.pool.1.ssl.key.
The other certificates should not be writable by non-authorized users as well.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/CAPA9Ot8iX2Uz4MyhB-rKFKeRQXbQ7KCAz3fcOD8y%2BsTSTy192g%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages