Uploaded image for project: 'CFEngine Community'
  1. CFEngine Community
  2. CFE-983

Bootstrap fails if sys.workdir/inputs is a symlink

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: High
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.6.0
    • Component/s: Packaging
    • Labels:
      None

      Description

      This is discussed in pull request:

      Due to security issues i have rewrote it:

      Here in short the description:

      • cf-agent -B cfengine3. Creates a failsafe.cf in the symlinked inputs directory
      • cf-agent -f failsafe.cf fails to copy the files from the policy host due the fact
        that sys.workdir/inputs is a symbolic link.

      There are several solutions:
      1. Allow copies to synlinked directories. Requires permission checks to prevent a symlink attack
      2. Bootstrap protocol must check if there is something wrong with the sys.workdir/inputs, before
      creating the failsafe.cf file. There should be a warning or fix it. Now it just creates
      the failsafe.cf file in the symlinked directory.
      3. In the generated failsafe.cf add the statement 'move_obstructions => "true"'. The it will force
      the copy action and move the offending file

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                a10025 Volker Hilsheimer (Inactive)
                Reporter:
                bas Bas van der Vlies
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Summary Panel