Project

General

Profile

Actions
Copy link

Architecture #15109

open

Rudder should not have exec binaries in /var, it conflicts with security best practices

Added by François ARMAND over 5 years ago. Updated almost 3 years ago.

Status:
New
Priority:
N/A
Assignee:
-
Category:
Security
Target version:
-
Pull Request:
Effort required:
Medium
Name check:
Fix check:
Regression:

Description

In Rudder, we have executable binaries in /var/rudder/cfengine-community/bin/ (like cf-agent etc).

This conflict with security best practice, particlarly mounting /var in noexec.

Moreover, binaries in /var/rudder/cfengine-community/bin/ are duplicated and they are also in /opt/rudder/bin/

Actions
Copy link
 #1

Updated by Alexis Mousset over 5 years ago

They are not duplicated anymore in 5.1 (replaced by a symlink). Only using /opt/rudder/bin would require changing in CFEngine behavior, so would require (maybe quite large) architecural changes.

Actions
Copy link
 #2

Updated by Vincent MEMBRÉ about 5 years ago

  • Target version changed from 6.0.0~beta1 to 6.0.0
  • Priority changed from 32 to 62
Actions
Copy link
 #3

Updated by Benoît PECCATTE about 5 years ago

  • Effort required set to Medium
  • Priority changed from 62 to 45
Actions
Copy link
 #4

Updated by Alexis Mousset almost 5 years ago

  • Target version changed from 6.0.0 to 6.0.1
Actions
Copy link
 #5

Updated by Alexis Mousset almost 5 years ago

  • Target version changed from 6.0.1 to 6.1.0~beta1
  • Priority changed from 45 to 22
Actions
Copy link
 #6

Updated by Alexis Mousset over 4 years ago

  • Target version changed from 6.1.0~beta1 to 6.2.0~beta1
  • Priority changed from 22 to 21
Actions
Copy link
 #7

Updated by François ARMAND over 4 years ago

  • User visibility changed from Infrequent - complex configurations | third party integrations to Operational - other Techniques | Rudder settings | Plugins
  • Priority changed from 21 to 25
Actions
Copy link
 #8

Updated by Vincent MEMBRÉ about 4 years ago

  • Target version changed from 6.2.0~beta1 to 6.2.0~rc1
  • Priority changed from 25 to 49
Actions
Copy link
 #9

Updated by François ARMAND about 4 years ago

  • Target version deleted (6.2.0~rc1)
Actions
Copy link
 #10

Updated by François ARMAND almost 3 years ago

  • Tracker changed from Bug to Architecture
  • Severity deleted (Critical - prevents main use of Rudder | no workaround | data loss | security)
  • User visibility deleted (Operational - other Techniques | Rudder settings | Plugins)
  • Priority deleted (49)
Actions
Copy link

Also available in: Atom PDF