On 07/05/2013 06:19 PM, David Schmitt wrote: > In the environments I support everything is deployed through puppet. > This leads to a big unification in dev/test environments. Through > vagrant the complete stack can be tested locally before pushing to code > review. From there the code travels through gerrit and jenkins until it > is deployed to the puppetmaster.
Nice one, but currently not achievable in my case :( Yeah, social problems are always thougher to surpass then the technological ones. > At no point I was offended by your words. I noticed a weakness in your > explanation and frankly (even ruthlessly) addressed it. Please accept my > apology for my rudeness. Explanation was definitely weak, but situation is really far from 'we' vs 'them'... Both teams want the best possible solution. > What is the risk of having an attacker who breaks into the deployment > user (which should only do deployment and nothing else), but is not able > to achieve root directly? Because one of the daemons that is supposed to be controlled this was is supervisor. And allowing unprivileged user to put stuff with no limits at all into dot-d is really only a command away from privilege escalation to root... > It's a very fine line to walk. Perhaps an API (even a little script that > does syntax checks and/or auditing) might suffice. One thing that did cross my mind is to allow deployment process to push specific files to specific locations on puppet master. That way, after the files are injected into master, all the deployment tool has to do afterwards is to initiate agent run on each node. What do you think about that idea? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
