GNU cfengine
6.2.4 Some points on the cfservd protocol
Cfservd uses a form for host-based authorization. Each atomic operation,
such as statting, getting files, reading directories etc, requires a new
connection and each connection is verified by a double reverse lookup in
the server's DNS records. Single stat structures are cached during the
processing of a file.
MD5 checksums are transferred from client to server to avoid loading the
server. Even if a user could corrupt the MD5 checksum, he or she would
have to get past IP address access control and the worst that could
happen would be to get the right version of the file. Again this is in
keeping with the idea that users can only harm themselves and not others
with cfengine.
