-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Salt master file_recv: true for specific minion(s) instead of globally #42284
Comments
This would be great to have. I am marking this as a feature request. Thanks, |
If possible, limiting the directory that cp.push and cp.push_dir can move files to would be useful as well. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue. |
+1 from me on this one |
Thank you for updating this issue. It is no longer marked as stale. |
Why so? Can the minion push files to any location? can minion push files to the server whenever it wants to even if no cp.push command is run on the server? |
imagine a malicious minion continuously pushing 1G files to the master, filling up the filesystem or using all the inodes. Then the master will stop working. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue. |
Bump |
Thank you for updating this issue. It is no longer marked as stale. |
Description of Issue/Question
I've searched github and the google groups, but personally haven't found anyone asking for this yet. Since
file_recv: true
is considered a security vulnerability, butcp.push
andcp.push_dir
are extremely useful commands would it be possible to limit the minions that can use thefile_recv
features? This would help me limit the blast radius of enabling this feature to only the most important select boxes while preventing all other boxes from sending files to the master.The text was updated successfully, but these errors were encountered: