The server daemon is controlled by a file called `cfd.conf'. The syntax of this configuration file is deliberately modelled on cfengine's own configuration file, but despite the similarities, you cannot mix the contents of the two files.
Though they are not compatible, `cfengine.conf' and `cfd.conf' are similar in several ways:
CFINPUTS
.
groups
and import
in both files
to break up files into convenient modules and to import
common resources, such as lists of groups.
Note that the classes in the `cfd.conf' file do not tell you the classes of host which have access to files and directories, but rather which classes of host pay attention to the access and deny commands when the file is parsed.
Host name authentication is not by class or group but by hostname, like the `/etc/exports' file on most unix systems. The syntax for the file is as follows:
control: classes:: domain = ( DNS-domain-name ) cfrunCommand = ( "script/filename" ) # Quoted MaxConnections = ( maximum number of forked daemons ) ChecksumDatabase = ( filename ) IfElapsed = ( time-in-minutes ) groups: Group definitions import: Files to import admit: | grant: classes:: /file-or-directory wildcards/hostnames deny: classes:: /file-or-directory wildcards/hostnames
The file consists of a control section and access information. You may use the control section to define any variables which you want to use in the remainder of your file. Two variables are special here, they are reserved.
cfrunCommand
cfrun
command.
MaxConnections
IfElapsed
IfElapsed
anti-spamming filter is also built into
cfd
so that a remote user cannot even get as far as
causing cfengine to parse its input files (which could
be used for spamming in itself). The time is in minutes,
the default is one hour.
ChecksumDatabase
Following the control section comes a list of files or directories and hosts which may access these. If permissions are granted to a directory then all sub directories are automatically granted also. Note that symbolic links are not checked for, so you may need to specifically deny access to links if they are plain files, but cfd does not follow symbolic links and give access to files in other directories.
Fully qualified hostnames should be given in this file. Do not forget to
define the domain name. Authentication calls the unix function
gethostbyname()
and so on to identify and verify connecting
hosts, so the names in the file must reflect the type on names returned
by this function. You may use wildcards in names to match, for instance,
all hosts from a particular domain.
Here is an example file
##################################################### # # This is a cfd config file # ##################################################### groups: PasswdHost = ( nexus ) ##################################################### control: # # Assuming CFINPUTS is defined # cfrunCommand = ( "/usr/local/bin/cfengine" ) variable = ( /usr/local/publicfiles ) ##################################################### admit: # Can also call this grant: PasswdHost:: /etc/passwd *.iu.hioslo.no FtpHost:: # An alternative to ftp, grant anyone /local/ftp/pub * any:: $CFINPUTS/cfrun.sh *.iu.hioslo.no ##################################################### deny: /etc/services borg.iu.hioslo.no /local/ftp *.pain-in-the-ass.com
NOTE I: cfd is not rpc.mountd
, access control is by filename,
not by device name. Do not assume that files lying in subdirectories are
not open for access simply because they lie on a different device. You should
give the real path name to file and avoid symbolic links.
NOTE II: access control is per host, not per user. If you open a file for a host you open it for every user on that host.
If you still have problems with lack of access, it could be that you have forgotten to define the domain name for your network, or that you do not understand the TCP wrappers files `/etc/hosts.access' and `/etc/hosts.deny'.
Go to the first, previous, next, last section, table of contents.