On 2020-03-28 14:36, Matt Zagrabelny wrote:
On Sat, Mar 28, 2020 at 7:31 AM Henrik Lindberg
<[email protected] <mailto:[email protected]>> wrote:
On 2020-03-28 02:42, Matt Zagrabelny wrote:
> Greetings,
>
> Suppose I have a class foo that host A gets via its catalog. Suppose
> host B does not have foo in its catalog. Can host B do anything
> malicious to obtain the sensitive data in foo?
>
> My puppet master is using an ENC to generate the classification
of each
> host and then a rolesĀ + profiles design pattern and hiera for
specific data.
>
> Thanks for any hints or answers!
>
It is important that your server side logic uses $trusted when
classifying on node since other facts cannot be trusted.
If B is compromised a malicious user could spoof facts in a request and
pretend to be A. It cannot however spoof the certificate - and it
contains the information that is in $trusted.
Hey Henrik,
Thanks for the reply!
Suppose I don't use any facts for classification, but only the ENC
assigns a role to the node via its fqdn.
You want the fqdn that is in $trusted - the "regular" fqdn can be spoofed.
- henrik
Class foo which comes through the role and profiles via the ENC has
sensitive files in its "modules/foo/files/" path.
Can B obtain those files if B is not classified to have foo in its catalog?
Thank you for the help!
-m
--
You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAOLfK3VJytS_F%2Ban0dr-ya4Vf4GuhAxAYDS%2BbkudM8L6YzmuWw%40mail.gmail.com
<https://groups.google.com/d/msgid/puppet-users/CAOLfK3VJytS_F%2Ban0dr-ya4Vf4GuhAxAYDS%2BbkudM8L6YzmuWw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/r5np3e%243rd%241%40ciao.gmane.io.
