After all the Regex magic that has just ensued on the Dev list, this
should be pretty easy :-) (magic, I say!).
Having a regex match on the File type would actually be useful in a
lot of cases. *But* it needs to be able to be sped up.
Something like forking to the native tools to do the match a
Hi
> OK, maybe I didn't express it clearly enough. Puppet won't let me
> specify one behaviour for /a and another for /a/**. As I said, there
> are valid reasons for wanting that.
I understood it that way and I also understand the reasons. My problem
is to see a valid way to describe that wi
On Tue, Jul 28, 2009 at 10:47:07AM +0200, Peter Meier wrote:
>
> Hi
>
> >> For sure you have to manage the content of each subdirectory separately
> >> as they're managed on their own.
> >
> > I'm sorry, but that fails as far as I'm concerned. I shouldn't be
> > having to specify common behavio
Hi
>> For sure you have to manage the content of each subdirectory separately
>> as they're managed on their own.
>
> I'm sorry, but that fails as far as I'm concerned. I shouldn't be
> having to specify common behaviour multiple times.
well either your managing a resource or you're not. Someth
Trevor Vaughan wrote:
> Personally, I don't see the default behavior as a security flaw.
>
> Perhaps, I'm missing somethingJames?
I tend to agree that the current behaviour meets 99% of the functional
requirements but I do understand where the original poster is coming from.
Like Luke, I don
On Tue, Jul 28, 2009 at 10:27:57AM +0200, Peter Meier wrote:
> For sure you have to manage the content of each subdirectory separately
> as they're managed on their own.
I'm sorry, but that fails as far as I'm concerned. I shouldn't be
having to specify common behaviour multiple times.
--
Bru
Hi
> On a slight tangent, how about having 755 on a directory but (for
> example) having 700 or 600 recursively on all the managed directories
> and files underneath it (and maybe different ownership as well). There
> are valid reasons for wanting to do this but the last time I tried it, I
> fou
2009/7/28 Judd :
>
> In any case it's VERY misleading to have an explicit command
> completely ignored by an unstated policy.
>
Personally, I'm not too worried about the security aspects of this,
but I would certainly expect Puppet to do what its told. If I fluff
my permissions, more fool me. H
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I'm slightly confused.
- From your original example, it looks like you're trying to create a
directory where everyone has read/write access, but nobody can traverse
the directory.
Perhaps this is the start of a symlink farm?
Most security guidance
Thanks for following up on this..
There are many instances when a user will be allowed access to a
particular path, and not the containing directory's file list. Take a
mail server or example, where a mail system user creates directories
where users have access to their own files and folders, bu
>
> Generally speaking they define a few basics:
>
> 1. Who is accountable for security
> 2. What to do if you find a security issue and where to report
> security issues
> 3. How security patches are handled
> 4. The project's disclosure policy
>
> Regards
>
> James Turnbull
This sounds lik
Also see the bug ticket submitted:
http://projects.reductivelabs.com/issues/2451
On Jul 27, 2009, at 4:45 PM, Judd Maltin wrote:
>
> This code:
>
>
> file { '/tmp/default':
>ensure => directory,
>mode => '666'
> }
>
> produces:
>
> r...@blah# ls -la /tmp/default/
> total 16
> d
On Mon, Jul 27, 2009 at 11:01:16PM +0200, Peter Meier wrote:
> > Is there a consistent culture or policy in the Puppet community to
> > override explicit security configurations? It must be explicitly
> > avoided in an audit, if that's the case. If there is no policy,
> > perhaps we should defin
Hi
>> Could you outline what you'd like to have in this policy. Not explicitly
>> for this question you raised but more in general. Maybe it's indeed
>> interesting to have one.
>
> As someone who works as a security professional and has spent the
> last week interacting with a small army of aud
Hi
> the only existing culture is that for file resources directories
> automatically get the execute bit. I don't yet see why you'd like to
> have a directory without the execute flag set, maybe you can explain?
>
> This "feature" is one side very helpfull if you have recursive
> directories to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Peter Meier wrote:
> Could you outline what you'd like to have in this policy. Not explicitly
> for this question you raised but more in general. Maybe it's indeed
> interesting to have one.
As someone who works as a security professional and has spe
Hi
> That is a major security issue. I cannot recommend Puppet to my
> clients if I get different results on my filesystem than from my
> manifest.
>
> Is there a consistent culture or policy in the Puppet community to
> override explicit security configurations? It must be explicitly
> avoide
Judd Maltin wrote:
> This code:
>
>
> file { '/tmp/default':
> ensure => directory,
> mode => '666'
> }
>
> produces:
>
> r...@blah# ls -la /tmp/default/
> total 16
> drwxrwxrwx 2 root root 4096 2009-07-27 16:21 .
>
> That is a major security issue. I cannot recommend Puppet to m
Judd Maltin wrote:
> This code:
>
>
> file { '/tmp/default':
> ensure => directory,
> mode => '666'
> }
>
> produces:
>
> r...@blah# ls -la /tmp/default/
> total 16
> drwxrwxrwx 2 root root 4096 2009-07-27 16:21 .
>
> That is a major security issue. I cannot recommend Puppet to m
19 matches
Mail list logo
