Security of Puppet ACLs..

[Matt Wise]

Just a quick question about the Puppet ACL system.. If "hostA" gets a catalog that says "download puppet:///passwd", I assume that hostA can always receive puppet:///passwd. However, what about hostB? Can hostB make an arbitrary call to the puppet master requesting "puppet:///passwd" even if its not a defined resource for that host? 

—Matt

[Patrick]

On May 11, 2011, at 9:59 AM, Matt Wise wrote:

Can hostB make an arbitrary call to the puppet master requesting "puppet:///passwd" even if its not a defined resource for that host? 

Simply: Yes

Ways to stop this:

1) Include the file in "source" instead which embeds the file in the catalog.

2) Use ACLs per module to stop that

3) Use a custom mount-point, and either define it's permissions, or else use some path munging so only the correct clients can get the file.

Over all, "1" is almost always the easiest.

[Felix Frank]

On 05/12/2011 09:44 AM, Patrick wrote:
>
> On May 11, 2011, at 9:59 AM, Matt Wise wrote:
>
>> Can hostB make an arbitrary call to the puppet master requesting
>> "puppet:///passwd" even if its not a defined resource for that host?
>
> Simply: Yes
>
> Ways to stop this:
> 1) Include the file in "source" instead which embeds the file in the
> catalog.

What you meant to write was "content instead of source".

> 2) Use ACLs per module to stop that
> 3) Use a custom mount-point, and either define it's permissions, or else
> use some path munging so only the correct clients can get the file.
>
>
> Over all, "1" is almost always the easiest.

Yes, but it can bloat the catalog depending on the workload.

I've found (2) to be very effective. Puppet generates my auth.conf
including ACLs.

Cheers,
Felix

[Larry Ludwig]

4)

reference the file via the facter 'uniqueid'

[Matt Wise]

Thats an interesting one for a few points.. how is the uniqueid generated?

On May 12, 2011, at 6:15 PM, Larry Ludwig wrote:

> 4)
>
> reference the file via the facter 'uniqueid'
>
>
>

> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

[Larry Ludwig]

It's from hostid command. How exactly is it generated I really don't know their info page is a bit vague.

------

   For example, here's what it prints on one system I use:

     $ hostid

     1bac013d

   On that system, the 32-bit quantity happens to be closely related to

the system's Internet address, but that isn't always the case.

   An exit status of zero indicates success, and a nonzero value

indicates failure.

-----

You could always generate your own md5 number from your own specifications for a custom facter variable.  It won't be easy for you to reference the files though.  Security via obscurity isn't the best way, but it's better than what's place now. Puppet assumes all hosts are 'friendly'