Discussion:
[rancid] user wich is running rancid-run [suggestion]
Diego Ercolani
2009-09-22 10:29:02 UTC
Permalink
I would like to suggest developer to make a little check in script invoking
rancid tools that are going to modify filesystem: rancid-run, rancid-cvs

The issue:
==========
In my installation as (i think) the others, rancid is the user which normally
invoke these tools.
For an error I invoked rancid-run as root and what I obtained was that the
repository was modified in such a manner that:
1. all the router configuration has been deleted as svn didn't find directory
under the root homepage
2. I had to change the owner of every file back to rancid, re-invoke rancid-
run as user and then all have been reinitialized.


The Solution:
=============
Can be only a little prehamble in rancid-run and rancid-cvs scripts that
CUT>>>>>>>
CORRECT_USER="rancid"
if [ "$USER" != "$CORRECT_USER" ]; then
echo "User $USER is not allowed to run $0!" >&2
echo "Please invoke $0 as user $CORRECT_USER" >&2
fi
<<<<<<<<CUT<<<<<<<<<<<<<

this could be a little modification that should save some headache...
Thank you
Diego
john heasley
2009-09-22 14:59:29 UTC
Permalink
Post by Diego Ercolani
I would like to suggest developer to make a little check in script invoking
rancid tools that are going to modify filesystem: rancid-run, rancid-cvs
==========
In my installation as (i think) the others, rancid is the user which normally
invoke these tools.
For an error I invoked rancid-run as root and what I obtained was that the
1. all the router configuration has been deleted as svn didn't find directory
under the root homepage
2. I had to change the owner of every file back to rancid, re-invoke rancid-
run as user and then all have been reinitialized.
=============
Can be only a little prehamble in rancid-run and rancid-cvs scripts that
CUT>>>>>>>
CORRECT_USER="rancid"
if [ "$USER" != "$CORRECT_USER" ]; then
echo "User $USER is not allowed to run $0!" >&2
echo "Please invoke $0 as user $CORRECT_USER" >&2
fi
<<<<<<<<CUT<<<<<<<<<<<<<
thanks, but that may not be username other choose and it is entirely
reasonable that any user on a system might like to run their own
repository.
Post by Diego Ercolani
this could be a little modification that should save some headache...
Thank you
Diego
Diego Ercolani
2009-09-23 07:20:03 UTC
Permalink
Post by john heasley
Post by Diego Ercolani
=============
Can be only a little prehamble in rancid-run and rancid-cvs scripts that
CUT>>>>>>>
CORRECT_USER="rancid"
if [ "$USER" != "$CORRECT_USER" ]; then
echo "User $USER is not allowed to run $0!" >&2
echo "Please invoke $0 as user $CORRECT_USER" >&2
exit -1
Post by john heasley
Post by Diego Ercolani
fi
<<<<<<<<CUT<<<<<<<<<<<<<
thanks, but that may not be username other choose and it is entirely
reasonable that any user on a system might like to run their own
repository.
Yes, but rancid-run (without parameters) search for the configuration file in
/etc/rancid.conf so is system wide. We should try to evitate that a careless
user (like me in the example :-) ) with filesystem rights (of course) dirts
the repository. So maybe we could make some sofisticated control that enable
invoking of frontends with a generic user, only if we have correctly defined
configurations....
Ron Whitney
2009-09-23 13:03:28 UTC
Permalink
Post by Diego Ercolani
We should try to evitate that a careless
user (like me in the example :-) ) with filesystem rights (of
course) dirts the repository.
While I understand your concerns, the system admin in me says that it is
better to properly secure the repository rather than the application.
If your user-id shouldn't be writing to the repository, it shouldn't
have write access. For those occasions where you need to, the sudo
command should be used (with care).

Ron
Diego Ercolani
2009-09-23 15:42:09 UTC
Permalink
In data mercoledì 23 settembre 2009 15:03:28, Ron Whitney ha scritto:
: > > We should try to evitate that a careless
Post by Ron Whitney
Post by Diego Ercolani
user (like me in the example :-) ) with filesystem rights (of
course) dirts the repository.
While I understand your concerns, the system admin in me says that it is
better to properly secure the repository rather than the application.
If your user-id shouldn't be writing to the repository, it shouldn't
have write access. For those occasions where you need to, the sudo
command should be used (with care).
You are almost right.... system admin have to know what is going to do, in an
ideal world.... now sysadm often is the one who click next... in a wizard
whithout even reading the GUI messages :-((((
[No flames please]
Max Allan
2009-09-23 20:39:48 UTC
Permalink
Date: Wed, 23 Sep 2009 17:42:09 +0200
Subject: [rancid] Re: user wich is running rancid-run [suggestion]
Post by Ron Whitney
While I understand your concerns, the system admin in me says that it is
better to properly secure the repository rather than the application.
If your user-id shouldn't be writing to the repository, it shouldn't
have write access. For those occasions where you need to, the sudo
command should be used (with care).
You are almost right.... system admin have to know what is going to do, in an
ideal world.... now sysadm often is the one who click next... in a wizard
whithout even reading the GUI messages :-((((
Shouldn't be a problem :1. the non-rancid user shouldn't have a .cloginrc file with all the logins, so rancid should mainly fail.2. If it's a new repo, then just delete it and start again. If it's an old one, surely a chown -R {rancid-user}:{rancid-users-group} will fix the file ownership if they're wrong somehow. You can do similar with chmod but I'm not sure about what cvs does for permissions, the perms should be right anyway unless they rely on the users umask.3. If it's an old repo, then all the files should exist anyway and the modification shouldn't change ownership.4. As pointed out, above, you should secure things sensibly. Otherwise someone else will come along and make a different mistake "what, I can't change the router config by changing the files in rancid directly, why not?" or worse!5. If it's important, where's the backup. If the backup is too hard to recover, you need a better backup solution!
(Sorry if that sounds a bit like preaching, it's just a couple of good practices that no-one ever wants to follow. Good backups and proper use of permissions etc.. can be hard or confusing, but worth it in the long run)
Yes, I often click next without reading the message, but only if I think I know what it's going to say. A good sysadm will be able to tell you what each box is before it pops up. But some people seem to think that because they've seen someone good not read the message, they can not read messages and be good too. They forget that the "good" person has probably done it thousands of times already - and has a backup so if it all goes wrong, he knows he can fix whatever the worst outcome is in a few minutes.
Any admin who tries to tell you he never made a mistake and needed a backup is probably either too scared to ever do anything or lying!
Just be really careful using a tool like clogin to make changes, because it allows you to multiply your mistake on lots of different boxes with minimal effort. An old colleague of mine made a mistake (not with rancid but similar tool) that was about 15 mins to fix on his local box, but he'd applied it to about 100 workstations around site and the mistake meant you had to fix it on the console. (he broke the local passwd files)Imagine doing password recovery on every box you run rancid at...(His surname was Ercolani too!)
Max
_________________________________________________________________
View your other email accounts from your Hotmail inbox. Add them now.
http://clk.atdmt.com/UKM/go/167688463/direct/01/

Loading...