Page 1 of 1

admin role access for a changeconfig (puppet) daemon?

PostPosted: Mon Apr 21, 2008 7:59 pm
by law
So, I've got this daemon that is going to need pretty much unfettered access to everything on a box. I'd like to be able to remotely manage grsec ACLs through puppet, but obviously this is going to require the puppet daemon to have some kind of special access. How can I give a daemon that normally runs as 'root' on a non-grsec'd system the heightened privileges it needs to do its thing? Ideally, I'd like to to not have to enter a password for it to authenticate, but ONLY if its started from a specific host (the master). Any ideas?

--Lee

Re: admin role access for a changeconfig (puppet) daemon?

PostPosted: Thu Apr 24, 2008 9:57 am
by windo
wdym "started from a specific host"?

you can override any/most options in subject configuration, so if your daemon *only* ever does things that the master tells it to do over an authenticated session, you can just give it the right to update/run everything.

you can most probably write a wrapper around gradm to reload the policy, but you'd have to take care not to store the password anywhere the root could read from.

Re: admin role access for a changeconfig (puppet) daemon?

PostPosted: Thu Apr 24, 2008 11:52 am
by law
Ahh, so I wouldn't even need to create a seperate role for it, I could just define a subject that gives it access to everything and call it good? Sounds like a plan!

--Lee