On Mon, Dec 5, 2011 at 2:24 AM, <no-re...@cfengine.com> wrote: > Forum: CFEngine Help > Subject: Re: Restricting access to the cfengine3 policy server promise > files based on cfengine3 client level groups. > Author: sauer > Link to topic: https://cfengine.com/forum/read.php?3,24135,24185#msg-24185 > > neilhwatson Wrote: > ------------------------------------------------------- > > More often than not it is not worth the trouble of > > restricting policy downloads of Cfengine clients. > > The policies are small and usually have no private > > information. > > Anyone managing local account passwords with CFEngine should be > restricting access to the policies containing those passwords, and only > distributing the portion of the policy (or the remote scalar) relevant to a > given machine. Otherwise, a breach on one machine has potential to become > a breach on all managed machines. > > Unless we're talking about a site where every user is identical on every > system, I suppose. :) > > > Hi Niel,
Yes, in my lab, the root on the cfengine3 policy server is mapped as the root on the cfengine3 clients just to study how host group based restrictions work. Once I master the host based restrictions, then probably user based restrictions can be looked into. But for now I am focusing on host group based restrictions. Regards, -- Vivek Varghese Cherian (विवेक वर्गीस चेरियान)
_______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
