From d324e12e0230ce1cdcdbe6ac47f1387d6f3278e3 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Thu, 29 Apr 2021 07:43:05 +0200 Subject: [PATCH] README: multiple improvements --- README.adoc | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/README.adoc b/README.adoc index 6d85d51..94f2792 100644 --- a/README.adoc +++ b/README.adoc @@ -25,8 +25,10 @@ simplicity and safety in the following principles: injection attacks; each host only receives its own configuration and no data from other hosts - *safety and security*: create files with "write to temporary file", "sync", - "rename", "sync directory" for atomicity and durability; guard against - symlink and other TOCTOU attacks; extensive test suite + "rename", "sync directory" for atomicity and durability; implemented in a + memory safe language and using a simple synchronization protocol to prevent + attacks on the local host; guard against symlink and other TOCTOU attacks; + extensive test suite == Overview @@ -96,14 +98,14 @@ future, others are due to the design of safcm. - Commands are executed with `/bin/sh -c` on the remote host which might leak sensitive information to other users via the command line (unless `/proc` is - mounted with `hidepid=`). Store sensitive data in a file and execute or - source it as a workaround. + mounted with `hidepid=` on GNU/Linux systems). Store sensitive data in a + file and execute or source it as a workaround. - Permissions of existing files and directories will be overwritten with the default (root/root, 0644 for files, 0755 for directories) unless manually configured via `permissions.yaml`. This includes important paths like `/root` which often have strict permissions by default, so carefully check - the diff output for unwanted changes. + the output for unwanted changes. - The full file content of all files is sent to the remote during synchronization. This makes it impractical to synchronize large files with @@ -124,7 +126,7 @@ future, others are due to the design of safcm. == Requirements - to build the `safcm` binary and remote helper: - * Go >= 1.16 + * Go >= 1.16 (for `go:embed`, `io/fs`) * GNU make - local host: @@ -148,6 +150,14 @@ future, others are due to the design of safcm. Adding support for other operating systems (e.g. BSDs) or distributions including package managers (e.g. Arch, Gentoo) is easy. Please send patches. +At the moment the remote helper is built for the following operating systems +($GOOS) and architectures ($GOARCH). To add more architectures simply edit +`cmd/safcm-remote/build.sh`. + + - freebsd: amd64 + - linux: amd64, armv7 + - openbsd: amd64 + == Authors -- 2.45.2