From: Ed Brown <ebrown@lanl.gov>
To: Bob Smith <b_smith44@hotmail.com>
CC: help-cfengine@gnu.org
Subject: Re: cfservd access question
Date: Mon, 23 Jan 2006 16:57:18 -0700
While this doesn't perhaps get to the heart of your question, is there
any reason not to use the same expression (172.16.1.0/24 in your
example) in 'admit:' that you use in 'control:'?
-Ed
On Mon, 2006-01-23 at 13:27 -0800, Bob Smith wrote:
> the following all takes place using cfengine 2.1.18 on Solaris 10. in
this
> environment the client's name is "elf.corp" and the client's dns domain
is
> "corp.abc.com". dns resolution works correctly in the environment.
>
> using the examples supplied with the distribution I am attempting to
create
> an update.conf for my site. in the admit section of the sample
cfservd.conf
> access is granted based on a glob dns domain name match (i.e.
> "*.iu.hioslo.no") however when I attempt to do the same type of thing
for my
> site I hit access restrictions.
>
> my cfservd.conf looks like:
>
> control:
>
> domain = ( corp.abc.com )
> cfrunCommand = ( "/usr/local/sbin/cfagent" )
>
> any::
>
> IfElapsed = ( 1 )
> ExpireAfter = ( 15 )
> MaxConnections = ( 50 )
> MultipleConnections = ( true )
> LogAllConnections = ( true )
> AllowConnectionsFrom = ( 172.16.1.0/24 )
> TrustKeysFrom = ( 172.16.1.0/24 )
> AllowUsers = ( root )
>
> admit:
> /master_files/sysops/config_files *.corp.abc.com
>
>
>
>
>
>
> my update.conf looks like:
>
> control:
>
> actionsequence = ( copy tidy )
> domain = ( corp.abc.com )
>
> policyhost = ( monitor01.corp.abc.com )
> master_cfinput =
> (
/master_files/sysops/config_files/env_dep/CORP/var/cfengine/inputs
> )
>
> workdir = ( /var/cfengine )
>
> copy:
>
> $(master_cfinput)
> dest=$(workdir)/inputs
> timestamps=preserve
> exclude=*.lst
> exclude=*~
> exclude=*,v
> exclude=*-
> exclude=#*
> ignore=SCCS
> ignore=RCS
> recurse=inf
> type=sum
> server=$(policyhost)
> trustkey=true
> encrypt=true
>
>
>
>
>
>
> if I run cfservd in debug mode (-d3) I see the following:
>
> Checking whether to map root privileges..
>
> FuzzyItemIn(LIST,172.16.1.68)
> No root privileges granted
> WildMatch(elf.corp,*.corp.abc.com)
> WildMatch(*.corp.abc.com,elf.corp)
> WildMatch(172.16.1.68,*.corp.abc.com)
> WildMatch(*.corp.abc.com,172.16.1.68)
>
> FuzzyItemIn(LIST,172.16.1.68)
> Try FuzzySetMatch(*.corp.abc.com,172.16.1.68)
> cfservd: Host elf.corp denied access to
> /master_files/sysops/config_files/env_dep/CORP/var/cfengine/modules
> cfservd: Unspecified refusal by server
>
>
>
> from this it appears to me that the server is not doing either of the
> behaviors I would expect: (a) it is not comparing the "domain" value set
in
> the client's update.conf to the access list specified in the server's
> cfservd.conf; (b) it is not resolving, via dns, the client's IP address
and
> comparing that to the access list specified in the server's
cfservd.conf.
>
> also, the documentation states, in section "4.3 Cfengine classes"
> (http://www.cfengine.com/docs/cfengine-Reference.html#Cfengine-classes)
that
> "Cfengine uses both the unqualified and fully host names as classes.
Some
> sites and operating systems use fully qualified names for their hosts.
i.e.
> uname -n returns to full domain qualified hostname. This spoils the
class
> matching algorithms for cfengine, so cfengine automatically truncates
names
> which contain a dot `.' at the first `.' it encounters."
>
> given this I would have expected that the hostname used by cfservd for
> access list matching would have been "elf" not "elf.corp" as shown by
the
> debug output.