Re: [Puppet Users] puppet catalog security?

[Henrik Lindberg]

On 2020-03-28 14:36, Matt Zagrabelny wrote:

On Sat, Mar 28, 2020 at 7:31 AM Henrik Lindberg <henrik.lindb...@puppet.com <mailto:henrik.lindb...@puppet.com>> wrote:

    On 2020-03-28 02:42, Matt Zagrabelny wrote:
     > Greetings,
     >
     > Suppose I have a class foo that host A gets via its catalog. Suppose
     > host B does not have foo in its catalog. Can host B do anything
     > malicious to obtain the sensitive data in foo?
     >
     > My puppet master is using an ENC to generate the classification
    of each
     > host and then a roles + profiles design pattern and hiera for
    specific data.
     >
     > Thanks for any hints or answers!
     >

    It is important that your server side logic uses $trusted when
    classifying on node since other facts cannot be trusted.

    If B is compromised a malicious user could spoof facts in a request and
    pretend to be A. It cannot however spoof the certificate - and it
    contains the information that is in $trusted.


Hey Henrik,

Thanks for the reply!

Suppose I don't use any facts for classification, but only the ENC assigns a role to the node via its fqdn.

You want the fqdn that is in $trusted - the "regular" fqdn can be spoofed.

- henrik

Class foo which comes through the role and profiles via the ENC has sensitive files in its "modules/foo/files/" path.

Can B obtain those files if B is not classified to have foo in its catalog?

Thank you for the help!

-m

--

You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com <mailto:puppet-users+unsubscr...@googlegroups.com>. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3VJytS_F%2Ban0dr-ya4Vf4GuhAxAYDS%2BbkudM8L6YzmuWw%40mail.gmail.com <https://groups.google.com/d/msgid/puppet-users/CAOLfK3VJytS_F%2Ban0dr-ya4Vf4GuhAxAYDS%2BbkudM8L6YzmuWw%40mail.gmail.com?utm_medium=email&utm_source=footer>.

--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/r5np3e%243rd%241%40ciao.gmane.io.