Re: [Puppet Users] Default ownership for static files

Wed, 10 Nov 2010 13:02:20 -0800 

On Mon, Nov 8, 2010 at 9:36 AM, Markus Falb <markus.f...@fasel.at> wrote:

> On 08.11.10 17:03, R.I.Pienaar wrote:
> >
> > ----- "Markus Falb" <markus.f...@fasel.at> wrote:
> >
> >> Hi,
> >>
> >> I try to serve a file
> >>
> >> file { "/root/test3.txt":
> >>         ensure => file,
> >>         source => "puppet:///yum/test.txt",
> >> }
> >>
> >> On the puppetmaster this files look like this
> >>
> >> #$ ls -n test.txt
> >> -rw-r--r--  1 502  301  4  8 Nov 16:25 test.txt
> >>
> >> Finally, here is my question: What ownership may I expect on the
> >> resulting file ?
> >
> > Do not rely on this behavior, specify the owner and mode in your file{}
> resources.
> >
> > That is the only reliable way.
> >
>
> It seems so, but do we want things this way ? I knew that I can specify
> owner explicitly, instead I wanted to question the defaults.
>
> When puppetd runs as root and without defined otherwise files should be
> created with owner root in my opinion. Why should one assume that uids
> on puppetmaster and client are synchronised ? Forget to define one
> ownership in your manifests and possibly unrelated users on the client
> can access these files unintentionally.
>
> I think thats a security flaw. I would like to rely on reasonable
> defaults. I think about opening a ticket for this.
>
> I try in other words: A file on puppetmaster belongs to user x with uid
> y and it is created on the client with uid y whatever user this
> translates to. Is this intended ?
>
>
When no owner or group is specified for the file, the default owner and
group on the target system seems to default to the same as the owner and
group on the puppetmaster, if that user exists on the target system. Ie, all
our files under /etc/puppet are owned by the puppet user, and if I don't
specify a use/group on a file, they end up being owned by puppet on the
target.

Doug

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Reply via email to