Forum: Cfengine Help Subject: Re: Cfengine Help: Re: Running cf-serverd as non-root Author: eystein Link to topic: https://cfengine.com/forum/read.php?3,21152,21156#msg-21156
Perhaps I was a bit unclear, but there is nothing that limits you from running any component as the user you wish. Cfengine does not require root in any way by design. It's just that if you have multiple (possibly non-persistent) processes and expect them to share information, they must do this through files. Non-root processes cannot read or write to all info in /var/cfengine and /var/cfengine/state by default. So you can create a group with these permissions and put cf-serverd user in that group. So now you have a cf-serverd that can write to /var/cfengine which is read by the agent, execd, etc. which you probably want to run as root. When you also consider the fact that about 80% of the code is shared between the components, I just don't see the big security gain.. I don't think there is much that can be done about these issues from a development standpoint, but please let us know if you have concrete suggestions... _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
