On Fri, Oct 05, 2012 at 06:31:05PM +0200, Michael Hanselmann wrote: > 2012/10/5 Iustin Pop <[email protected]>: > > On Fri, Oct 05, 2012 at 03:55:41AM +0200, Michael Hanselmann wrote: > >> Some paths, such as /bin or /usr/lib, should not be used for file > >> storage. This patch implements a check during cluster verification > >> to show a warning in case such a path has been used. > > > > I haven't reviewed the patch, just one side question: > > > >> + if what.get(constants.NV_FILE_STORAGE_PATHS) == my_name: > >> + result[constants.NV_FILE_STORAGE_PATHS] = \ > >> + (pathutils.FILE_STORAGE_PATHS_FILE, > >> + > >> bdev.LoadAllowedFileStoragePaths(pathutils.FILE_STORAGE_PATHS_FILE)) > > > > Am I too paranoid if I'm asking myself whether it's OK to let the master > > know what paths exactly the node allows? I mean, as opposed to just > > returning the messages about not recommended paths being present (as > > text) from the node. > > I think you are too paranoid. If someone has access to this > information (by getting the contents of “server.pem”), that someone > can also read the contents of the whitelist file, which is the same on > all nodes, or the configuration, which has the file storage paths as > well.
I agree that this is bordering on extreme, but I don't understand your argument: just because I can read local server.pem, it doesn't necessarily follow that I can read remote filepaths. iustin
