compress old puppet reports
Jan-Frode Myklebust
janfrode at tanso.net
Tue May 17 16:59:43 UTC 2011
On Tue, May 17, 2011 at 08:23:31AM -0400, seth vidal wrote:
> >
> > # clean up all but the last 1 month of puppet reports
> > -/usr/sbin/tmpwatch --mtime 720 /var/lib/puppet/reports/
> > +/sbin/runuser -s /bin/sh - puppet -c "/usr/sbin/tmpwatch --mtime 720 /var/lib/
(scary how git diff cuts lines at end of terminal..)
It guards against symlink attack by anyone who can run something as
user "puppet" and replace /var/lib/puppet/reports/ with a symlink to
somewhere else (/).
> >
> > for host in `echo /var/lib/puppet/reports/*`
> > do
> > - /bin/ls -1 $host/*.yaml | head --lines=-48 | xargs --no-run-if-empty xz -9
> > + /bin/ls -1 $host/*.yaml | head --lines=-48 | \
> > + /sbin/runuser -s /bin/sh - puppet -c "xargs --no-run-if-empty xz -9"
Guards against races before xargs and bugs in xz which might be processesing
client controlled input. Would it be conceivable that xz can create a
compressed file that cron will interpret as a cronjob if placed in
/etc/cron.d? Similar to https://lwn.net/Articles/191080/ ?
I don't know, but I couldn't rule it out -- so I would much rather run
the maintenance scripts with the correct privileges instead of root.
> I'm not sure how it makes a hill of beans worth of difference.
>
> It makes no network connections and performs nothing controversial.
"puppetmaster" running as "puppet" listens on the network, and has access
to change these paths. But I'll agree it's probably not a big
difference since the impact is mostly destroying a machine -- not owning
it.. Would be great if there were some easier way to specify which user
each cron.daily job should run as.
-jf
More information about the infrastructure
mailing list