AllowGroups foo bar baz xyzzy
And then somewhere else, the www-data user had been added to the baz group, so that the webserver could write to some files owned by the baz user (on a group-per-user system, naturally).
Ordinarily, you wouldn't connect these two things (the changes most likely having been made months apart), and it was only that I was examining all of the changes made to the system in this manifest at once that I connected the two things at all. There are a couple of ramifications here:
- This likely makes a lot more things readable/writable by the webserver than was anticipated.
- Suddenly, despite all of the admirable paranoia shown by the initial use of the AllowGroups config, we've just inadvertantly given the user that our webserver runs as SSH access to the server.
I don't know whether the problem is excessive complexity and hence the risk of unintended consequences, or if problems like this can be avoided with sufficient careful thought, but I do know one thing: making all of your system changes through a system like Puppet doesn't just make your systems more reproducible, it also makes them more auditable. Bonus!