Tuesday, September 4, 2007

Cfengine File Permission Blunder

While testing some changes to our sshd_config, I imported a copy of it from another host to our cfengine repository. After making adjustments to our cfagent.conf so that the test machine would be the only host to get this copy, I saved the file and ran cfagent.

Much to my surprise, the test server's sshd_config file would not update. I double checked my cfagent.conf, made sure the file was correct in the cfengine repository, etc. Looking at /var/log/messages, I saw

Sep 4 12:52:50 testhost cfengine:testhost[4333]: Network access to cfserver:/repository/cfengine/test/etc/ssh/sshd_config denied

This was confusing, because the testhost:/var/cfengine/cfagent.conf was getting the new configuration file. After banging my head for a while, I realized that the permissions of cfserver:/repository/cfengine/test/etc/ssh/sshd_config were incorrect.

-r-------- 1 root root 3050 Sep 4 10:53 sshd_config

Apparently, when importing the file over to my repository, I kept its original permissions. After chown'ing the file to cfengine, everything worked. Unfortunately, "Network access denied" is misleading. So, in the future, check you file perms to make sure cfengine can read the file.

No comments: