On Tue, May 17, 2011 at 08:23:31AM -0400, seth vidal wrote:
>
> # clean up all but the last 1 month of puppet reports
> -/usr/sbin/tmpwatch --mtime 720 /var/lib/puppet/reports/
> +/sbin/runuser -s /bin/sh - puppet -c "/usr/sbin/tmpwatch --mtime 720 /var/lib/
(scary how git diff cuts lines at end of terminal..)
It guards against symlink attack by anyone who can run something as
user "puppet" and replace /var/lib/puppet/reports/ with a symlink to
somewhere else (/).
>
> for host in `echo /var/lib/puppet/reports/*`
> do
> - /bin/ls -1 $host/*.yaml | head --lines=-48 | xargs --no-run-if-empty xz -9
> + /bin/ls -1 $host/*.yaml | head --lines=-48 | \
> + /sbin/runuser -s /bin/sh - puppet -c "xargs --no-run-if-empty xz
-9"
Guards against races before xargs and bugs in xz which might be processesing
client controlled input. Would it be conceivable that xz can create a
compressed file that cron will interpret as a cronjob if placed in
/etc/cron.d? Similar to
https://lwn.net/Articles/191080/ ?
I don't know, but I couldn't rule it out -- so I would much rather run
the maintenance scripts with the correct privileges instead of root.
I'm not sure how it makes a hill of beans worth of difference.
It makes no network connections and performs nothing controversial.
"puppetmaster" running as "puppet" listens on the network, and has
access
to change these paths. But I'll agree it's probably not a big
difference since the impact is mostly destroying a machine -- not owning
it.. Would be great if there were some easier way to specify which user
each cron.daily job should run as.
-jf