On 07/05/2013 06:19 PM, David Schmitt wrote:

In the environments I support everything is deployed through puppet.
This leads to a big unification in dev/test environments. Through
vagrant the complete stack can be tested locally before pushing to code
review. From there the code travels through gerrit and jenkins until it
is deployed to the puppetmaster.
Nice one, but currently not achievable in my case :( Yeah, social
problems are always thougher to surpass then the technological ones.

At no point I was offended by your words. I noticed a weakness in your
explanation and frankly (even ruthlessly) addressed it. Please accept my
apology for my rudeness.
Explanation was definitely weak, but situation is really far from 'we'
vs 'them'... Both teams want the best possible solution.

What is the risk of having an attacker who breaks into the deployment
user (which should only do deployment and nothing else), but is not able
to achieve root directly?
Because one of the daemons that is supposed to be controlled this was is
supervisor. And allowing unprivileged user to put stuff with no limits
at all into dot-d is really only a command away from privilege
escalation to root...

It's a very fine line to walk. Perhaps an API (even a little script that
does syntax checks and/or auditing) might suffice.
One thing that did cross my mind is to allow deployment process to push
specific files to specific locations on puppet master. That way, after
the files are injected into master, all the deployment tool has to do
afterwards is to initiate agent run on each node.

What do you think about that idea?

You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Search Discussions

Discussion Posts


Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 6 of 7 | next ›
Discussion Overview
grouppuppet-users @
postedJul 5, '13 at 11:37a
activeJul 5, '13 at 6:57p



site design / logo © 2021 Grokbase