Re: cfengine 2 migration issues

[Ruben van Staveren]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark

On Thu, Feb 12, 2004 at 07:21:00PM +0100, address@hidden wrote:
> 
> Ruben - the GNU site is in a mess, so no updates have been posted
> outside of www.cfengine.org for some time. The latest version is
> 2.1.3. Recommend that, perhaps it will solve some of the problems.
> 2.0.6 has a potentially exploitable buffer overflow in cfservd.
> 
> I believe the regex error was a bug in my grammar that was fixed
> immediately afterwards.
> 

Unfortunately it is still there, I had tested up and until 2.1.0 or so and
2.1.3 also shows that behavior. Code is in src/item-ext.c (CfRegcomp) I
believe. Apparently, it is feeded an empty string. 

Maybe it is a good idea to do a 
  if (regex == NULL || *regex == '\0')
          return -1;

Before regcomp() or something like that ?


Concerning umask and the LogDirectory directives, these seem to be security
related, umask is set to 077 in src/parse.c per default and LogDirectory shows
an error message in src/cfagent.c. The umask directive for shellcommand and
processes sections seems to work, but is erroneously reported as an illegal
statement. Also for 2.0.6 which we have currently deployed.

Can you please enlighten me as I don't understand the background of these
changes regarding the CFE1 way of things ?
FYI, we don't use cfservd, but start cfagent from cron every 5 minutes, one
for the system wide root user, and one for the role account to monitor the
project software.

Is cfengine still meant to be used by non priviledged users or "must"
everything go through cfservd...

- - Ruben

> M
> 
> On 12 Feb, Ruben van Staveren wrote:
> > Hello all,
> > 
> > At RIPE NCC we have deployed a network of 60 so called Test Traffic
> > Measurement boxes (http://www.ripe.net/ttm/) and are currently in the 
> > progress
> > of upgrading our network from cfengine 1 to cfengine 2. We have encountered 
> > a
> > few peculiarities which weren't there in the previous versions.
> > 
> > cfengine 2 is now installed on our FreeBSD 4.x based Test Traffic 
> > Measurement
> > Testboxes, with the following remarks:
> > 
> > - We are using version 2.0.6 instead of the latest version available because
> >   the grammar in the .l and the .y files changed in 2.0.7, causing harmless
> >   but noisy error messages to appear when using a SetOptionString
> > 
> >     address@hidden:102] /tmp/cfe2/cfengine-2.0.7/src/cfagent -n -DCRON -f
> >     /home/ttraffic/config/cfengine.conf 
> >     cfengine:tt97: Regular expression error 14 for 
> >     cfengine:tt97: empty (sub)expression
> > 
> >   It could be that the BSD implementation of the regular expression library 
> > is
> >   more strict and this error is not triggered on other platforms.
> > 
> > - Separate binaries for root and a non privileged maintenance account have
> >   been installed, this is due to the fact the cfengine status directory
> >   (LogDirectory) is not run time adjustable anymore. See
> >   http://mail.nongnu.org/archive/html/bug-cfengine/2003-11/msg00018.html
> >   what was wrong with the cfengine 1 way of doing things ?
> >   We use a setup where cfengine is run from cron, and not from the cfengine
> >   daemon.
> > 
> > - There seems to be a problem with the umask setting, we have to readjust
> >   permissions on files generated from programs under cfengine 2 control 
> > which
> >   was not needed in cfengine 1
> > 
> > 
> > Kind Regards,
> >     Ruben van Staveren
> > 
> 
> 
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Work: +47 22453272            Email:  address@hidden
> Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- -- 
Ruben van Staveren                      RIPE Network Coordination Centre
New Projects Group/TTM                  Singel 258 Amsterdam NL
http://www.ripe.net                     +31 20 535 4444
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFAM4efkQhJ4tr8JxsRAv2mAJ9A3T9qgou7Bd+duqDrZzdfBuGTpgCgxLah
rHKiFVH2j1KgojCE87Sxu4c=
=FQNa
-----END PGP SIGNATURE-----