[rancid] Checking for root

Alan McKinnon alan.mckinnon at gmail.com
Thu Jun 6 21:36:37 UTC 2013


On 06/06/2013 17:34, heasley wrote:
> Thu, Jun 06, 2013 at 04:57:10PM +0200, Alan McKinnon:
>> On 06/06/2013 16:45, Matthew Walster wrote:
>>> More often than not, people are coming to me with RANCID issues that
>>> have arisen because someone has been impatient and decided to run
>>> rancid-run manually rather than letting the next run initiate manually.
>>>
>>> The only problem with that is that they tend to run it as "root" rather
>>> than the rancid user.
>>>
>>> Would it be worth putting a check in so that rancid-run script won't run
>>> unless it's as a non-privileged user (or even better, build it into the
>>> automake run to discover the intended final user).
>>>
>>> Simple code sample:
>>>
>>> if [[ $EUID -eq 0 && $force -ne 1 ]]
>>> then
>>>         echo "Run this as the RANCID user!"
>>>         exit 1
>>> fi
>>>
>>> There's a "force" option there, just in case you really did run it as
>>> root, which seems like bad practice to me...
>>>
>>> Just a thought!
>>
>>
>> +1
>>
>> I'm all in favour of scripts not letting themselves be run as root. The
>> automake idea is better still, as permissions and ownerships issues from
>> running scripts as the wrong user can be very annoying to track down,
>> and that problem never resolves.
>>
>> Personally, I also always apply this rule forcefully with no recourse:
>>
>> Anyone who abuses the root account loses the root account.
> 
> s/abuses/doesnt know what theyre doing with/
> 
> anyway, i dont care for such checks, i know what my UID is and things that
> think they must protect me from myself are just annoying and its not the
> Unix manner.  but, if folks would like this, i'd be willing to add a check
> that is enabled by a rancid.conf option, which i believe would be sufficient,
> right?


That could work but I'd prefer a build time option, lets the sysadmin
decide what global rules are in play.

It's a concession to reality - rancid is extensively used in corporate
and semi-corporate environments where the sysadmin often doesn't get to
decide who the other users are. Lesser of two evils - bend TheUnixWay a
little, or have to deal with chown a lot


-- 
Alan McKinnon
alan.mckinnon at gmail.com



More information about the Rancid-discuss mailing list