the limits of machine intelligence

[Aleksey Tsalolikhin]

Hi,

I have a simple promise to ensure that there is no setuid bit on Centrify Kerberized su binary (per security advisory from Centrify):

---8<-----------------------------------------------------------

# cat /tmp/test.cf

bundle agent main {

  files:

      "/usr/share/centrifydc/kerberos/bin/ksu"

        perms => m("u-s");

}

body perms m(mode)

{

      mode   => "$(mode)";

}

---8<-----------------------------------------------------------

This works fine except on a few hosts that don't have Centrify installed:

# cf-agent -f /tmp/test.cf  -K

   error: Failed to chdir into '/usr/share/centrifydc/kerberos/bin'. (chdir: 'No such file or directory')

# 

While I can change the promise to:

  files:

      "/usr/share/centrifydc/kerberos/bin/ksu"

        if => fileexists("/usr/share/centrifydc/kerberos/bin/ksu"),

        perms => m("u-s");

I want to comment that it seems to me that if the file doesn't exist, the promise that the file is not setuid root is KEPT, and I should get a thumbs-up and a smiley face, instead of an error message.  ;)

I suppose it's expecting too much of a C program to have that kind of insight.

Mechanisms, mechanisms...   I'm glad I'm still needed.  =)

Aleksey

-- 

Achieve real learning.  Email trai...@verticalsysadmin.com.

[Nick Anderson]

Yeah, I have wanted some kind of files type outcome expression kind of like file select amd kept_returncodes combined to Express how I want to interpret an outcome.