On 01/22/2013 10:04 PM, jcbollinger wrote:
You are also right that a compromised client can, in principle, falsify
the fact values presented to the master in an attempt to make it divulge
secret information. Whether the master might actually divulge anything
is a function of the manifests with which site administration has
configured it. In other words, that's a question of how Puppet is used,
not of the fundamental security of Puppet itself.
One thing did cross my mind while reading your explanation. What about
private section in fileserver.conf?
I've set up a private section, as follows:
[private]
path /etc/puppet/private/%H
allow *
Does this mean that if compromised client fakes hostname fact (because I
presume that %H means hostname), it can get all the files from private
section? Can I maybe use certname in private section?
--
Jakov Sosic
www.srce.unizg.hr
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.
