On Sat, Mar 28, 2020 at 10:05 AM Henrik Lindberg <henrik.lindb...@puppet.com> wrote:
> On 2020-03-28 14:36, Matt Zagrabelny wrote: > > > > > > On Sat, Mar 28, 2020 at 7:31 AM Henrik Lindberg > > <henrik.lindb...@puppet.com <mailto:henrik.lindb...@puppet.com>> wrote: > > > > On 2020-03-28 02:42, Matt Zagrabelny wrote: > > > Greetings, > > > > > > Suppose I have a class foo that host A gets via its catalog. > Suppose > > > host B does not have foo in its catalog. Can host B do anything > > > malicious to obtain the sensitive data in foo? > > > > > > My puppet master is using an ENC to generate the classification > > of each > > > host and then a roles + profiles design pattern and hiera for > > specific data. > > > > > > Thanks for any hints or answers! > > > > > > > It is important that your server side logic uses $trusted when > > classifying on node since other facts cannot be trusted. > > > > If B is compromised a malicious user could spoof facts in a request > and > > pretend to be A. It cannot however spoof the certificate - and it > > contains the information that is in $trusted. > > > > > > Hey Henrik, > > > > Thanks for the reply! > > > > Suppose I don't use any facts for classification, but only the ENC > > assigns a role to the node via its fqdn. > > > > You want the fqdn that is in $trusted - the "regular" fqdn can be spoofed. > The ENC gets the fqdn on the command line. I'd presume this is trusted from the certificate since communication between the master and client is predicated on the SSL. The ENC then "assigns" a class to A. Is there anything B can do to get module foo added to its catalog if only the ENC adds module foo to node's catalogs? Thanks, -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3WHtCsEEhA6CrvP8WkFwxqGJdads1rzsBOUjVVNBgpSZw%40mail.gmail.com.
