Thanks John,
Do you have any recommendations on /var/lib/puppet?
Cheers,
Michael
On Monday, June 11, 2012 9:20:05 AM UTC-4, jcbollinger wrote:
>
>
>
> On Jun 8, 7:43 pm, Michael Altfield
> <michael.altfield.data...@gmail.com> wrote:
> > Hi,
> >
> > Is there is an official Puppet stance on what the permissions of these
> > files/directories should be on the Puppet Master?
>
>
> I've never seen one, but maybe the Enterprise group has unpublished
> recommendations. It probably depends to some extent on exactly what
> software stack you are running. PE maybe different than the open-
> source edition, passenger may have more needs than webrick, etc..
>
>
> > I'm looking for the
> > minimum necessary permissions (ie: the most secure):
> >
> > 1. /etc/puppet/manifests
>
>
> The puppet master process needs to read and traverse those
> directories. Nobody needs to write there during normal operations,
> but obviously write permission is required to update your manifests.
> Supposing, then, that the Puppet master runs as user 'puppet', I'd say
> the most secure configuration feasible is for the whole tree to be
> owned by user 'puppet', group 0, with permissions 400 for files and
> 500 for directories. The same for all directories in your module
> path.
>
>
> > 2. /usr/share/puppet
> > 3. /usr/lib/ruby/gems/1.8/specifications/*.gemspec
> > 4. /usr/lib/ruby/gems/1.8/gems/passenger-X.Y.Z
>
>
> I'm not sure about the gem directories. I don't use gems, and I don't
> even particularly like them. I prefer to stick to just one packaging
> system per machine.
>
>
> > In order to get my puppet master (v2.7.14) to run under apache (v2.2.15)
> > using passenger (v3.0.12) on Cent OS (v6.2), I had to do the following:
> >
> > chown puppet /etc/puppet/manifests
> > chmod -R 755 /usr/share/puppet
> > chmod 755 /usr/lib/ruby/gems/1.8/specifications/*.gemspec
> > chown -R puppet /usr/lib/ruby/gems/1.8/gems/passenger-3.0.12
> >
> > Do any of the above changes yield a security risk I should be aware of?
>
>
> Your puppetmaster is unlikely to require any of those directories to
> allow any "world" access permissions. If you know which users need
> access (and you should), then at worst you should be able to grant the
> access they need via "group" permissions, even if you have to create a
> supplementary group for that purpose (i.e. 750). Granting *any*
> unneeded access increases your security risk to some degree.
>
> Also, you should not grant execute permission to non-executable
> regular files, which is most, perhaps all of the contents of the
> directories you listed. Therefore, I would follow up the above with,
> for example,
>
> find /usr/share/puppet -not -type d -exec chmod ugo-x {} \;
>
> Similar for the passenger directory, though there may be one or two
> files in there that need to be executable.
>
>
> John
>
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/HIk8RDnFwMQJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
