Forum: Cfengine Help Subject: Re: Non-root and workdir again.... :-) Author: berntjernberg Link to topic: https://cfengine.com/forum/read.php?3,21249,21251#msg-21251
Hi, This is how I will do it with the ~/.cfagent design still there. If this is doable with a root:cfengine:750 permission on /var/cfengine, all sub directories owned by root and zfs-acls added to subdirs where cfengine only can add files not directories to sub directories and are unable to remove subdirs. This can be tricky in some *nix flavors. All this can be managed by cf-afent running as root. On my policy server cf-agent copy /var/cfengine/inputs to /opt/cfengine/inputs with root:cfengine:640 perms. # ls -ld /opt/cfengine /opt/cfengine/bin /opt/cfengine/bin/* /opt/cfengine/inputs /opt/cfengine/inputs/* drwxr-x--- 6 root cfengine 4096 Mar 16 12:18 /opt/cfengine drwxr-x--- 2 root cfengine 4096 Mar 15 18:15 /opt/cfengine/bin -rwxr-x--- 1 root cfengine 2415121 Mar 15 18:15 /opt/cfengine/bin/cf-agent -rwxr-x--- 1 root cfengine 2201381 Mar 15 18:15 /opt/cfengine/bin/cf-execd -rwxr-x--- 1 root cfengine 2135662 Mar 15 18:15 /opt/cfengine/bin/cf-hub -rwxr-x--- 1 root cfengine 2164176 Mar 15 18:15 /opt/cfengine/bin/cf-key -rwxr-x--- 1 root cfengine 2256902 Mar 15 18:15 /opt/cfengine/bin/cf-know -rwxr-x--- 1 root cfengine 2281701 Mar 15 18:15 /opt/cfengine/bin/cf-monitord -rwxr-x--- 1 root cfengine 2164400 Mar 15 18:15 /opt/cfengine/bin/cf-promises -rwxr-x--- 1 root cfengine 2219388 Mar 15 18:15 /opt/cfengine/bin/cf-report -rwxr-x--- 1 root cfengine 2189270 Mar 15 18:15 /opt/cfengine/bin/cf-runagent -rwxr-x--- 1 root cfengine 2305040 Mar 14 13:54 /opt/cfengine/bin/cf-serverd -rwxr-x--- 1 root cfengine 2305040 Mar 14 13:54 /opt/cfengine/inputs -rw-r----- 1 root cfengine 2305040 Mar 14 13:54 /opt/cfengine/inputs/failsafe.cf -rw-r----- 1 root cfengine 2305040 Mar 14 13:54 /opt/cfengine/inputs/promises.cf -rw-r----- 1 root cfengine 2305040 Mar 14 13:54 /opt/cfengine/inputs/site.cf -rw-r----- 1 root cfengine 2305040 Mar 14 13:54 /opt/cfengine/inputs/update.cf -rw-r----- 1 root cfengine 2305040 Mar 14 13:54 /opt/cfengine/inputs/update.cf # pwd /home/cfengine # ls -ld . drwxr-x--- 4 root cfengine 4096 Mar 16 12:31 . # ls -ld .cfagent/ drwxr-x--- 10 root cfengine 4096 Mar 16 12:33 .cfagent/ # ls -l .cfagent total 104 lrwxrwxrwx 1 root root 17 Mar 16 12:48 bin -> /opt/cfengine/bin -rw------- 1 cfengine cfengine 1828 Mar 16 12:29 cf3.phost.runlog -rw------- 1 cfengine cfengine 8192 Mar 16 12:43 cf_lastseen.db lrwxrwxrwx 1 root root 20 Mar 16 12:33 inputs -> /opt/cfengine/inputs drwxr-xr-x 2 cfengine cfengine 4096 Dec 10 16:53 lastseen drwx------ 2 cfengine cfengine 4096 Dec 10 16:53 modules drwx------ 2 cfengine cfengine 20480 Mar 14 14:39 outputs drwx------ 2 cfengine cfengine 4096 Jan 27 16:36 ppkeys drwxr-xr-x 2 cfengine cfengine 4096 Dec 10 16:53 reports drwx------ 2 cfengine cfengine 4096 Dec 7 18:20 software_updates drwx------ 2 cfengine cfengine 4096 Mar 14 14:47 state $ /opt/cfengine/bin/cf-serverd Unable to set owner on /home/cfengine/.cfagent to 5308.5308 !!! System error for chown: "Operation not permitted" Unable to set owner on /home/cfengine/.cfagent to 5308.5308 !!! System error for chown: "Operation not permitted" $ ps -ef | grep cf- cfengine 7405 1 0 12:48 ? 00:00:00 /opt/cfengine/bin/cf-serverd _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
