Salt: Salt master file_recv: true for specific minion(s) instead of globally

Created on 12 Jul 2017  路  10Comments  路  Source: saltstack/salt

Description of Issue/Question

I've searched github and the google groups, but personally haven't found anyone asking for this yet. Since file_recv: true is considered a security vulnerability, but cp.push and cp.push_dir are extremely useful commands would it be possible to limit the minions that can use the file_recv features? This would help me limit the blast radius of enabling this feature to only the most important select boxes while preventing all other boxes from sending files to the master.

Core Feature
Source
picture pgporada

Most helpful comment

This would be great to have.

I am marking this as a feature request.

Thanks,
Daniel

picture gtmanfred on 13 Jul 2017
👍4

All 10 comments

This would be great to have.

I am marking this as a feature request.

Thanks,
Daniel

gtmanfred picture gtmanfred on 13 Jul 2017
👍4

If possible, limiting the directory that cp.push and cp.push_dir can move files to would be useful as well.

pgporada picture pgporada on 4 Aug 2017

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.

stale[bot] picture stale[bot] on 27 Nov 2018

+1 from me on this one

max-arnold picture max-arnold on 28 Nov 2018

Thank you for updating this issue. It is no longer marked as stale.

stale[bot] picture stale[bot] on 28 Nov 2018

Since file_recv: true is considered a security vulnerability

Why so? Can the minion push files to any location? can minion push files to the server whenever it wants to even if no cp.push command is run on the server?

Arjun765 picture Arjun765 on 5 Dec 2018

imagine a malicious minion continuously pushing 1G files to the master, filling up the filesystem or using all the inodes.

Then the master will stop working.

gtmanfred picture gtmanfred on 6 Dec 2018

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.

stale[bot] picture stale[bot] on 9 Jan 2020

Bump

max-arnold picture max-arnold on 9 Jan 2020

Thank you for updating this issue. It is no longer marked as stale.

stale[bot] picture stale[bot] on 9 Jan 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Inveracity picture Inveracity  路  3Comments
erwindon picture erwindon  路  3Comments
seanacais picture seanacais  路  3Comments
sagetherage picture sagetherage  路  3Comments
qiushics picture qiushics  路  3Comments