security implications of a puppet run with sensitive data in the resources

66 views
Skip to first unread message

Derek Yarnell

unread,
Dec 22, 2010, 8:18:14 PM12/22/10
to Puppet Users
Hi,

So I was asked a bit about implications of distributing something
sensitive through puppet. After a client talks to the puppet server
(giving its local facts) and retrieves its catalog is the client allowed
to fetch resources that may not be defined in its catalog?

For example if someone is crafty and has compromised a client can they
retrieve a file from the file server that was not in their catalog? Or
can this only be secured this only handled by the file server IP acls
(if you really call that secure)?

It seems like auth.conf (http://docs.puppetlabs.com/guides/security.html
and the default auth.conf file) would be what I am looking for however
the only way I can think of tailoring this would be to only allow a node
that is in a specific class to have access to a certain set of resources.

Thanks,
derek


--
---
Derek T. Yarnell
University of Maryland
Institute for Advanced Computer Studies

Patrick

unread,
Dec 22, 2010, 8:38:23 PM12/22/10
to puppet...@googlegroups.com

On Dec 22, 2010, at 5:18 PM, Derek Yarnell wrote:

> So I was asked a bit about implications of distributing something
> sensitive through puppet. After a client talks to the puppet server
> (giving its local facts) and retrieves its catalog is the client allowed
> to fetch resources that may not be defined in its catalog?
>
> For example if someone is crafty and has compromised a client can they
> retrieve a file from the file server that was not in their catalog? Or
> can this only be secured this only handled by the file server IP acls
> (if you really call that secure)?


Just to confirm that. Any client with a valid certificate can get any file in any "files" directory unless you make changes. Templates are different because the templates are put into the catalog, so a client can only use templates you use in the catalog.

Derek Yarnell

unread,
Dec 22, 2010, 10:35:20 PM12/22/10
to puppet...@googlegroups.com

Ok so is the only way to secure the files is via IP/hostname or am I
missing something in the auth.conf?

Patrick

unread,
Dec 22, 2010, 10:45:05 PM12/22/10
to puppet...@googlegroups.com


I think you can use wildcards in your hostnames which might help.

I know of two other indirect ways to secure files.

1) Use "source" and the file() function to embed the files in the catalog instead of putting them in a "files" folder. Templates do the same thing.

2) Tinker with /etc/puppet/fileserver.conf to add private mounts like this:

Add this to fileserver.conf:
[private]
path /etc/puppet/private/%d/%h
allow *

Now, when I client with a certificate name of server.example.com asks for puppet:///private/ it will get /etc/puppet/private/example.com/server/

Reply all
Reply to author
Forward
0 new messages