Re: glob in inputs

2010-06-04 Thread daniel . klein
You can work around the '*' restriction if you like, but wildcard matching on inputs is a security risk. The reason is as follows: 1) Assume there is a inputs => { "xxx/*.cf" }; in your promises.cf 2) You do testing in a different directory other than /var/cfengine/inputs (this is a good idea

Re: glob in inputs

2010-06-04 Thread Bas van der Vlies
On 04-06-10 13:58, Mark Burgess wrote: > > I diagree with you again. Even a sysadmin can add a file by mistake and cause > great > damage. THe way it works now, you have to do some work to make a mistake. > This is a > sensible precaution. > It was not a discussion with you ;-). A sysadmin can ma

Re: glob in inputs

2010-06-04 Thread Mark Burgess
I diagree with you again. Even a sysadmin can add a file by mistake and cause great damage. THe way it works now, you have to do some work to make a mistake. This is a sensible precaution. Bas van der Vlies wrote: > On 04-06-10 13:40, Mark Burgess wrote: >> It is a security risk to accept any f

Re: glob in inputs

2010-06-04 Thread Bas van der Vlies
On 04-06-10 13:40, Mark Burgess wrote: > > It is a security risk to accept any file as input to a program that has root > privilege. > If you work around this, do so at your own risk. > Mark i agree with Vasiliy. I had a former discussion about this a couple a months ago. Somebody said also it i

Re: glob in inputs

2010-06-04 Thread Mark Burgess
It is a security risk to accept any file as input to a program that has root privilege. If you work around this, do so at your own risk. Vasiliy G Tolstov wrote: > В Птн, 04/06/2010 в 13:12 +0400, Vasiliy G Tolstov пишет: >> How can i use * pattern in inputs? >> >> I do not want to specify all

Re: glob in inputs

2010-06-04 Thread Vasiliy G Tolstov
В Птн, 04/06/2010 в 13:12 +0400, Vasiliy G Tolstov пишет: > How can i use * pattern in inputs? > > I do not want to specify all files in config file, rather i want to > inputs => { "xxx/*.cf" }; > > (cfengine 3.0.4) > Ok. Because authors of cfengine not like * in inputs, work around: "soft" sl

Re: glob in inputs

2010-06-04 Thread Mark Burgess
This is not allowed. It is considered a security risk. HOwever, if you name all possible allowed files, you can choose to "ignore_missing_inputs", which is a safer alternative. On 06/04/2010 11:12 AM, Vasiliy G Tolstov wrote: > How can i use * pattern in inputs? > > I do not want to specify a

glob in inputs

2010-06-04 Thread Vasiliy G Tolstov
How can i use * pattern in inputs? I do not want to specify all files in config file, rather i want to inputs => { "xxx/*.cf" }; (cfengine 3.0.4) -- Vasiliy G Tolstov Selfip.Ru ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfeng