Architecture #15109
open
Rudder should not have exec binaries in /var, it conflicts with security best practices
Added by François ARMAND almost 5 years ago.
Updated over 2 years ago.
Description
In Rudder, we have executable binaries in /var/rudder/cfengine-community/bin/ (like cf-agent etc).
This conflict with security best practice, particlarly mounting /var in noexec.
Moreover, binaries in /var/rudder/cfengine-community/bin/ are duplicated and they are also in /opt/rudder/bin/
They are not duplicated anymore in 5.1 (replaced by a symlink). Only using /opt/rudder/bin would require changing in CFEngine behavior, so would require (maybe quite large) architecural changes.
- Target version changed from 6.0.0~beta1 to 6.0.0
- Priority changed from 32 to 62
- Effort required set to Medium
- Priority changed from 62 to 45
- Target version changed from 6.0.0 to 6.0.1
- Target version changed from 6.0.1 to 6.1.0~beta1
- Priority changed from 45 to 22
- Target version changed from 6.1.0~beta1 to 6.2.0~beta1
- Priority changed from 22 to 21
- User visibility changed from Infrequent - complex configurations | third party integrations to Operational - other Techniques | Rudder settings | Plugins
- Priority changed from 21 to 25
- Target version changed from 6.2.0~beta1 to 6.2.0~rc1
- Priority changed from 25 to 49
- Target version deleted (
6.2.0~rc1)
- Tracker changed from Bug to Architecture
- Severity deleted (
Critical - prevents main use of Rudder | no workaround | data loss | security)
- User visibility deleted (
Operational - other Techniques | Rudder settings | Plugins)
- Priority deleted (
49)
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by