www.delorie.com/gnu/docs/cfengine/cfengine-Tutorial_70.html   search  
 
Buy GNU books!


GNU cfengine

[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

6.2.2 Remote execution of cfagent

It is a good idea to execute cfagent by getting cron to run it regularly. This ensures that cfagent will be run even if you are unable to log onto a host to run it yourself. Sometimes however you will want to run cfagent immediately in order to implement a change in configuration as quickly as possible. It would then be inconvenient to have to log onto every host in order to do this manually. A better way would be to issue a simple command which contacted a remote host and ran cfagent, printing the output on your own screen:

 
myhost% cfrun remote-host -v

 output....

A simple user interface is provided to accomplish this. cfrun makes a connection to a remote cfservd-daemon and executes cfagent on that system with the privileges of the cfservd-daemon (usually root). This has a two advantages:

A potential disadvantage with such a system is that malicious users might be able to run cfagent on remote hosts. The fact that non-root users can execute cfagent is not a problem in itself, after all the most malicious thing they would be able to do would be to check the system configuration and repair any problems. No one can tell cfagent what to do using the cfrun program, it is only possible to run an existing configuration. But a more serious concern is that malicious users might try to run cfagent repeatedly (so-called `spamming') so that a system became burdened with running cfagent constantly, See section 6.2.3 Spamming and security.


[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

  webmaster   donations   bookstore     delorie software   privacy  
  Copyright 2003   by The Free Software Foundation     Updated Jun 2003