Forum: CFEngine Help Subject: Re: cfexecd fails with scripts or commands must have absolute path names Author: bahamat Link to topic: https://cfengine.com/forum/read.php?3,25465,25467#msg-25467
Hello Julian. First of all, welcome to the CfEngine community. Secondly, cfagent is telling you exactly what's wrong: Loaded persistent memory -------------------------------------------- cf:cfengine:tdukwbbuild:/var/cfengine/inputs/cf.main:13: scripts or commands must have absolute path names cf:cfengine:tdukwbbuild:/var/cfengine/inputs/cf.main:13: scripts or commands must have absolute path names cf:cfengine:tdukwbbuild:/var/cfengine/inputs/cf.main:13: scripts or commands must have absolute path names cf:cfengine:tdukwbbuild:/var/cfengine/inputs/cf.main:13: scripts or commands must have absolute path names cf:cfengine:tdukwbbuild:/var/cfengine/inputs/cf.ssh:12: scripts or commands must have absolute path names cf:cfengine:tdukwbbuild:/var/cfengine/inputs/cf.ssh:12: scripts or commands must have absolute path names In cf.main on line 13 and in cf.ssh on line 12 you have a script or command being called without an absolute path. All scripts and commands must have an absolute path name in order to be called for security reasons. I.e., with relative paths you can't be 100% sure in every case that you're calling the program you want to call. For example, does "grep" mean /usr/bin/grep or /usr/gnu/bin/grep? Or is it /usr/xpg4/bin/grep? Are you sure someone hasn't created a malicious script named /bin/ucb/grep? All of which may be in your PATH. Which has one is first? Always use absolute paths. A second error I see is here: cfengine:tdukwbbuild: Warning: varstring "/usr/sbin/svccfg -s rpc/bind setprop config/enable_tcpwrappers=boolean: true" contains the list iterator ':' - you should escape these close to non-separator characters so they don't get lost! (e.g. /bin/echo\: ) cfengine: concerns: true cfengine:tdukwbbuild: Warning: varstring "/usr/sbin/svccfg -s rpc/bind setprop config/local_only=boolean: true" contains the list iterator ':' - you should escape these close to non-separator characters so they don't get lost! (e.g. /bin/echo\: ) cfengine: concerns: true cfengine:tdukwbbuild: Warning: varstring "/usr/sbin/svcadm refresh svc:/network/smtp:sendmail" contains the list iterator ':' - you should escape these close to non-separator characters so they don't get lost! (e.g. /bin/echo\: ) cfengine: concerns: sendmail cfengine:tdukwbbuild: Warning: varstring "/usr/sbin/svcadm refresh svc:/system/system-log:default" contains the list iterator ':' - you should escape these close to non-separator characters so they don't get lost! (e.g. /bin/echo\: ) This may be the reason you're getting the errors above. To correct this you need to format the command like this: "/usr/sbin/svccfg -s rpc/bind setprop config/enable_tcpwrappers=boolean\: true" "/usr/sbin/svccfg -s rpc/bind setprop config/local_only=boolean\: true" "/usr/sbin/svcadm refresh svc\:/network/smtp\:sendmail" "/usr/sbin/svcadm refresh svc\:/system/system-log\:default" Notice that each : is escaped by a \. Lastly, since you said that you're new to cfengine I highly recommend using cfengine3 instead of cfengine2. Since you're just getting started you will be much better off with 3. For more information on why cfengine3 is superior see this article: https://cfengine.com/cftimes/articles/0000000038.html _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
