Cfservd wants physical paths

[Robert Cantu]

I'm having trouble with cfservd allowing a host to copy a file from the 
server where the file resides in a directory that has at least one 
symlink in it's path.

Example:

cfservd.conf
...
grant:
    /var/cfengine/inputs        <ip list>
      encrypt=true

/var/cfengine/inputs is a symlink to somewhere else, let's say, 
/usr/local/foo, which is also a symlink for /usr/local/bar. cfagent 
running on the client machine connects and gets all the trusted keys 
right, but it still says "Host authentication failed. Did you forget 
the domain name?" when it hits the copy in update.conf. Back on the 
server machine, with the Syslog = ( on ), cfservd logs the following 
for the relevant request for copying cfagent.conf:

Nov 14 16:05:14 server cfservd[22716]: From (host=client.bar.com 
user=root,ip=192.168.20.40)
Nov 14 16:05:14 server cfservd[22716]:  ID from connecting host: (SYNCH 
1068804314 STAT /var/cfengine/inputs/cfservd.conf)
Nov 14 16:05:14 server cfservd[22716]:  Host client.bar.com denied 
access to /usr/local/bar/cfagent.conf
Nov 14 16:05:14 server cfservd[22716]: Host 
authorization/authentication failed or access denied

It seems that cfservd wants the absolute physical path (much like pwd 
-P in bash). When I use the physical path in the grant section instead 
of /var/cfengine/inputs, the cfagent doesn't even get access to try to 
copy since it's requesting /var/cfengine/inputs/cfagent.conf, but it's 
not in the grant: section. The only way I've gotten this to work is to 
have grant: for both /var/cfengine/inputs and /usr/local/bar.

Is there any way to have cfservd not care about symlinks in the 
admit|grant sections? Please CC my email so that I can view replys, 
thanks.

Robert Cantu
robert@artistictech.net