Aaron Grewell writes: > To answer OP's question, the Puppet Master runs as user/group puppet. The > agent runs as root.
Which is, of course, entirely desirable. puppetmaster needs access only to a limited set of files, which it needs only to serve to agents, and hence is best run in a dedicated user/group. The agents, however, need root access to do their jobs. Unfortunately I failed to notice that was a top-posted reply. Sorry. > On Mon, Nov 26, 2012 at 3:41 PM, Steven VanDevender > <ste...@uoregon.edu>wrote: > > > Jerald Sheets writes: > > > Because standard systems administration practice is to rarely if ever > > > run anything at all as root. This practice, generally speaking, will > > > not pass ITIL, SOX, HIPAA, or PCI compliance auditing, and if > > > something like Puppet (which has complete run of your system) ran as > > > root, you could easily demolish not only one but thousands of > > > machines with a single keystroke... well, Root is just a bad idea, > > > then.... > > > > One gathers you're not really a practicing sysadmin. What you cite are > > a bunch of good reasons one should avoid running daemons and > > applications as root. But you can't create and manage the mechanisms > > that are used to avoid running things as root without root access. A > > sysadmin avoids doing things as root that aren't necessary, but is > > otherwise obligated to use root access (carefully) on a constant basis. > > > > Puppet runs as root because it should be used to do a lot of the things > > that have to to be done as root. > > > > Proper standards for security should say that root access should be > > carefully regulated and monitored, not that it must never be allowed for > > remote access. If used well Puppet should actually improve your > > security because it can enforce site-wide standards automatically and > > provide better auditing of changes than haphazard manual practices. > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscr...@googlegroups.com. > > For more options, visit this group at > > http://groups.google.com/group/puppet-users?hl=en. > > > > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
