On Tue, Aug 27, 2013 at 2:41 PM, jcbollinger <john.bollin...@stjude.org> wrote: > The client can provide a $::hostname fact that is different from the > certname it presents, but that is perfectly valid and expected under some > circumstances. It is possible that a client doing so is thereby able to > exploit weaknesses in (user-provided) manifest files required anyway for its > catalog, thereby extracting information to which it is not intended to have > access, but that is possible to some degree or another with any fact. It > does not constitute a flaw in Puppet itself, but rather in the manifests in > question.
That's roughly what I recall. So, in less words: from a security perspective, do not count on Puppet only serving the right config for the host. It is a very flimsy security boundary. cheers, m -- martin.langh...@gmail.com - ask interesting questions - don't get distracted with shiny stuff - working code first ~ http://docs.moodle.org/en/User:Martin_Langhoff -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
