I’ve recently delved in to the world of Puppet to manage some CentOS servers. In the process I noticed something. The /etc/puppet directory is owned by root:root but puppet runs as the user puppet. What does this mean? A couple of things:
- To edit the manifests or modules I either have to be root or constantly be typing sudo (annoying).
- For the puppetmaster process, which runs as puppet:puppet to access the files, the manifest and modules must be world readable. This means a lot of information is visible to the world, encrypted or not.
- I can’t use my favorite editor to edit files over ssh. (I know, a personal gripe, but valid in my books.)
So I’m trying an experiment that I hope will secure the data a bit more and make editing the files more hastle free.
- Recursively changed the group of /etc/puppet to puppet.
- Put myself in the puppet group. I can now edit the files without being root. (See newgrp(1).)
- I’ll slowly begin to set the Other permission bits to 0, hiding the files and their contents from prying eyes.