Bug #3092
No entries means no security?
| Status: | Accepted | Start: | 01/20/2010 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | network | |||
| Target version: | - | |||
| Affected version: | 0.25.1 | Branch: | ||
| Keywords: | authoratization | |||
| Votes: | 0 |
Description
For testing purposes, I had a fileserver.conf with:
[modules]
[plugins]
and nothing else. This gives no security whatsoever; all access is allowed. Since @deny *@, which is what I wanted to put in there, isn’t allowed, this was very confusing.
I would like to see that situation treated as “deny all”, as the docs imply, and I would like @deny *@ to work.
-Robin
History
Updated by Markus Roberts 7 months ago
- Status changed from Unreviewed to Needs design decision
This would be a significant behaviour change; the present assumption is that modules and plugins are accessable by default.
Updated by Robin Powell 7 months ago
Markus Roberts wrote:
This would be a significant behaviour change; the present assumption is that modules and plugins are accessable by default.
Then there’s some kind of documentation error, or at least confusion.
Note that at http://reductivelabs.com/trac/puppet/wiki/FileServingConfiguration it says “The default security configuration is to deny all access, so if no allow lines are specified, the module will be configured but available to no one.”. That sounds like “deny all is the default” to me.
Furthermore:
If I put anything in the [modules] section, “deny all” is suddenly the default behaviour; everything I haven’t explicitly allowed is denied. This strongly implies that “deny all” is the default state.
“allow ” is OK, but “deny ” is a syntax error. This also, very strongly, implies that “deny all” is the default state.
The problem is that when the [modules] section is entirely empty, the behaviour shifts from “deny all” to “allow all”, which is very confusing. If the section missing did that, that would be (mildly) less confusing, but having an empty section do that when the documentation makes it clear that “deny all” is the default is very confusing.
Even then, I would be fine with it if “deny *” worked; all I was trying to do was test that in the “deny all” state, nothing worked.
With the current setup, it is impossible to actually put the config into a “deny all” state; the best you can do is allow something insignificant (or impossible, like a non-routable address not on your network). That’s icky.
-Robin
Updated by Luke Kanies 6 months ago
- Category set to network
- Status changed from Needs design decision to Accepted
- Keywords set to authoratization
I agree, this is a bug.
Is it sufficient to just allow a ‘deny *’ statement in the configuration? That is to say, are the current defaults acceptable, as long as that additional setting is available?
Updated by Robin Powell 6 months ago
That would absolutely be OK by me, yes. Thanks!
-Robin