Uploaded image for project: 'CFEngine Community'
  1. CFEngine Community
  2. CFE-733

execute bundles with least privileges

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Open
    • Priority: High
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Evaluation
    • Labels:
      None

      Description

      We need to be able to drop privileges and evaluate whole bundles under certain restrictions (e.g. user, group, chroot, ulimit) for security and other reasons.

      Old description of this bug follows:

      > Use cases:
      >
      > * contain an execresult in a variable
      > * contain a whole usebundle. For instance you may want any files promises in the bundle to only touch files in a certain directory and below, or to create files with a particular UID and umask.
      > * any potentially pluggable promises must have a security context
      >
      > This enables many security use cases in all components, e.g. serverd, as well without explicitly adding "run as" options to each component.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                a10003 Eystein Maloy Stenberg
                Reporter:
                jiraadmin Old User (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:

                  Summary Panel