Forum: Cfengine Help Subject: Re: Cfengine Help: Re: Running cf-serverd as non-root Author: berntjernberg Link to topic: https://cfengine.com/forum/read.php?3,21152,21164#msg-21164
Hi, Thanks for the response, I think this is an important discussion. > Having said that, let's consider least privilege for a minute. If your > cfengine hosts are locked down in accordance with best practices, they > will not be hosting other services (and likely in a DMZ). True, always secure the os as much as you possibly can. The only port that will be available to the unix server network is 5308. > If someone compromises cfservd, they will be able to push out rogue policy > files -- > regardless of cfservd's user. If it is "root" or "cfengine" won't > matter much if clients can still be controlled. Maybe I was unclear how I have set it up. When I say masterfiles I mean the contents of the input directory as well as extra packages, other files etc. that the agent installs. My master files (on the policy host) are in /opt/cfengine_repository. This structure is owned by root:cfengine. The group has only read access to all files. Running the cf-serverd as the user cfengine will not allow an intruder to update that file structure as long as you don't have any unpatched security issues in the operating system or haven't followed best practice securing the host. cf-serverd-user will not have access to /var/cfengine. In my scenario a client server (not the the central policy host) was hacked and from an attacker tries to upload stuff to the policy server. I will not run cf-serverd on all hosts just the policy server and firewalls will only allow incomming connections to 5308 on the policy host. The /opt/cfengine/bin/cf-serverd will be owned by root:cfengine, 0750. ~cfengine/.cfagent/inputs is a link to /opt/cfengine/inputs perms root:cfengine:0750. All *.cf files in /opt/cfengine/inputs have root:cfengine:0640. Even better change the ~/.cfagent in the c-code to something else so that the cf-serverd user won't be able to remove/recreate things here. > The cfengine user is effectively root on a cfservd host, much like "nobody" > became root back. I agree that there are a lot of ifs and buts but I think my solution is more secure. Not a lot more, slightly and it comply with our security baseline. Once you know how to set it up it's easy to maintain. It would be nice to be able to change the ~/.cfagent directory with a compile- time option. _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
