This repository has been archived by the owner on Mar 15, 2019. It is now read-only.
Grains insecure for targeting sensitive data #24
Comments
|
Closing now. Looks like this has been addressed by saltstack and will be in the the next major release. saltstack/salt#43287 |
|
See my comments in the linked issue and PR. Also, I should add a note on this repo that it has been merged to saltstack main. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Grains are controlled by the minion, so targeting sensitive data via grains is not secure. A compromised minion could modify its grains. The only grain that is safe is
id, since the master enforces that theidgrains must match the minion ID on the accepted key.So the example:
"If a template contains a grain which evaluates to a list, it will be expanded into multiple policies. For example, given the template saltstack/by-role/{grains[roles]}, and a minion having these grains:
The minion will have the policies saltstack/by-role/web and saltstack/by-role/database."
Is not necessarily a secure way to target your secrets as a compromised minion could simply change its role in order to retrieve secrets it should not be able to access. I think there should be a warning next to this example that grains are controlled by minions and therefore insecure.
I think that a more appropriate support for targeting would be pillar data. Is that a possibility?
The text was updated successfully, but these errors were encountered: