This is discussed in pull request:
Due to security issues i have rewrote it:
Here in short the description:
- cf-agent -B cfengine3. Creates a failsafe.cf in the symlinked inputs directory
- cf-agent -f failsafe.cf fails to copy the files from the policy host due the fact
that sys.workdir/inputs is a symbolic link.
There are several solutions:
1. Allow copies to synlinked directories. Requires permission checks to prevent a symlink attack
2. Bootstrap protocol must check if there is something wrong with the sys.workdir/inputs, before
creating the failsafe.cf file. There should be a warning or fix it. Now it just creates
the failsafe.cf file in the symlinked directory.
3. In the generated failsafe.cf add the statement 'move_obstructions => "true"'. The it will force
the copy action and move the offending file