[rancid] Re: user wich is running rancid-run [suggestion]

Wed Sep 23 20:39:48 UTC 2009

> From: diego.ercolani at ssis.sm
> To: rancid-discuss at shrubbery.net
> Date: Wed, 23 Sep 2009 17:42:09 +0200
> Subject: [rancid] Re: user wich is running rancid-run [suggestion]

>> While I understand your concerns, the system admin in me says that it is
>> better to properly secure the repository rather than the application.
>> If your user-id shouldn't be writing to the repository, it shouldn't
>> have write access.  For those occasions where you need to, the sudo
>> command should be used (with care).
> You are almost right.... system admin have to know what is going to do, in an 
> ideal world.... now sysadm often is the one who click next... in a wizard 
> whithout even reading the GUI messages :-((((

Shouldn't be a problem :1. the non-rancid user shouldn't have a .cloginrc file with all the logins, so rancid should mainly fail.2. If it's a new repo, then just delete it and start again. If it's an old one, surely a chown -R {rancid-user}:{rancid-users-group} will fix the file ownership if they're wrong somehow. You can do similar with chmod but I'm not sure about what cvs does for permissions, the perms should be right anyway unless they rely on the users umask.3. If it's an old repo, then all the files should exist anyway and the modification shouldn't change ownership.4. As pointed out, above, you should secure things sensibly. Otherwise someone else will come along and make a different mistake "what, I can't change the router config by changing the files in rancid directly, why not?" or worse!5. If it's important, where's the backup. If the backup is too hard to recover, you need a better backup solution!
(Sorry if that sounds a bit like preaching, it's just a couple of good practices that no-one ever wants to follow. Good backups and proper use of permissions etc.. can be hard or confusing, but worth it in the long run)
Yes, I often click next without reading the message, but only if I think I know what it's going to say. A good sysadm will be able to tell you what each box is before it pops up. But some people seem to think that because they've seen someone good not read the message, they can not read messages and be good too. They forget that the "good" person has probably done it thousands of times already - and has a backup so if it all goes wrong, he knows he can fix whatever the worst outcome is in a few minutes.
Any admin who tries to tell you he never made a mistake and needed a backup is probably either too scared to ever do anything or lying!
Just be really careful using a tool like clogin to make changes, because it allows you to multiply your mistake on lots of different boxes with minimal effort. An old colleague of mine made a mistake (not with rancid but similar tool) that was about 15 mins to fix on his local box, but he'd applied it to about 100 workstations around site and the mistake meant you had to fix it on the console. (he broke the local passwd files)Imagine doing password recovery on every box you run rancid at...(His surname was Ercolani too!)
Max
_________________________________________________________________
View your other email accounts from your Hotmail inbox. Add them now.
http://clk.atdmt.com/UKM/go/167688463/direct/01/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090923/f2da45e3/attachment.html