On Wednesday, May 18, 2016 at 7:05:48 PM UTC-5, Alex Scoble wrote: > > Hi all, > > We're currently on PE 3.8.4. > > We need to be able to manage sudoers permissions with Puppet, but control > things so sudoers permissions can only be granted within a specific module. > > So permissions could be included via 'include foo::bar' from anywhere, but > the actual sudoers permissions used by the include could only be set within > the specific module that has access tightly controlled. > > The goal is to prevent someone from injecting a new sudoers rule in to a > module/manifest outside of our control. >
I don't think there is any reliable way to do what you ask from within Puppet. You may be able to achieve it by completely protecting the sudo configuration from Puppet via mandatory access controls (SELinux) or a similar mechanism, but then Puppet cannot manage it at all. Perhaps that's ok, but it seems rather pointless: if you do not trust your own manifests, then you are in a world of hurt. There are innumerable things that an assailant wanting to breach your security could do with the ability to influence nodes' catalogs, and closing down just a single avenue -- if that were even possible -- misses the forest for the trees. Anyone who can inject a single File or Exec resource into a node's catalog can very likely take control of that node if they so desire. Therefore, I recommend procedural safeguards: control access to all your manifests, perform code reviews for all changes, etc.. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/f6dbf98e-03d8-40f2-92a1-a1807ffc2441%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
