Ask Your Question
0

Prevent access to a file between puppet runs

asked 2014-06-02 10:30:40 -0600

RomeoBravo gravatar image

We have our infrastructure set to do puppet runs twice daily. I have a couple of files that need I need to prevent access to in between runs. Basically, we have a script that multiple users run and functionality for the script is limited depending on the user. The user's authorized functions are listed in ~/.${LOGNAME}.auth, which prior to puppet, we maintained via RPM and performed an rpmverify on the package that drops the file as the first step of running the script, aborting the script if rpmverify failed.

We need to be able to do the same thing in puppet.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2014-06-03 18:11:33 -0600

Stefan gravatar image

You cannot prevent access between puppet runs differently than you would otherwise be able to prevent access. So you can either make sure with puppet that ~/.${LOGNAME}.auth is readable by the user but not writeable, or you have to somehow be able to detect an undesirable change similar to your rpmverify.

One possibility would be to just run puppet and fix it of course or you store the correct checksums elsewere so you can later query it. Something like

file { '/home/foo/.bar.auth':
  ensure  => file,
  content => template("foo/bar.auth")
}
file { "/some_other_dir/bar.sha1.auth":
  ensure  => file,
  content => sha1(template("foo/bar.auth")),
}

And then your script itself can check the current sha1sum of the file when running the script and compare it to the stored one. You may also be able to extract the desired checksum by parsing the cached catalog directly (somewhere under /var/lib/puppet/client_yaml)

But please be aware that if the user is able to change the file .bar.auth it is hard to awoid race conditions. Like your script generating the checksum,

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2014-06-02 10:30:40 -0600

Seen: 41 times

Last updated: Jun 03 '14