Salt master file_recv: true for specific minion(s) instead of globally

[pgporada]

Description of Issue/Question

I've searched github and the google groups, but personally haven't found anyone asking for this yet. Since file_recv: true is considered a security vulnerability, but cp.push and cp.push_dir are extremely useful commands would it be possible to limit the minions that can use the file_recv features? This would help me limit the blast radius of enabling this feature to only the most important select boxes while preventing all other boxes from sending files to the master.

[gtmanfred]

This would be great to have.

I am marking this as a feature request.

Thanks,
Daniel

[pgporada]

If possible, limiting the directory that cp.push and cp.push_dir can move files to would be useful as well.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.

[max-arnold]

+1 from me on this one

[stale[bot]]

Thank you for updating this issue. It is no longer marked as stale.

[Arjun765]

Since file_recv: true is considered a security vulnerability

Why so? Can the minion push files to any location? can minion push files to the server whenever it wants to even if no cp.push command is run on the server?

[gtmanfred]

imagine a malicious minion continuously pushing 1G files to the master, filling up the filesystem or using all the inodes.

Then the master will stop working.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.

[max-arnold]

Bump

[stale[bot]]

Thank you for updating this issue. It is no longer marked as stale.