Am 19.11.2015 um 00:57 schrieb Ian Malone:
On 18 November 2015 at 23:38, Reindl Harald
<h.reindl(a)thelounge.net> wrote:
>
>
> Am 18.11.2015 um 19:49 schrieb Adam Jackson:
>>
>> On Tue, 2015-11-17 at 17:30 +0000, Andrew Haley wrote:
>>>
>>> On 11/02/2015 03:05 PM, Adam Jackson wrote:
>>>>
>>>> But, why take the risk exposure, when you could simply not?
>>>
>>>
>>> How else would I edit root-owned files? I don't get it. I mean,
>>> I guess I could run an editor in a text window, but I don't want to
>>> do that.
>>
>>
>> That's kind of a non sequitur. To a first order, there are zero root-
>> owned files you need to edit routinely. And I feel pretty comfortable
>> calling any counterexamples bugs that need fixing
>
>
> hopefully all configuration files on your system are root-owned and
> "routinely" is not black and white because it depens on your use-cases
>
> as serveradmin you *routinely* edit root-owned files and *yes* i pull them
> from 35 machines to a dedicated admin server and open them all together in a
> GUI editor with tabs to make changes i want to have on all servers while the
> file itself is machine specific
>
> why?
>
> because it's much faster than login to each and every machine when i can
> pull them with a script, edit them centralized and push them back followed
> by a "distribute-command 'systemctl condrestart affected-service'"
and it
> saves a ton of overhead for configuration management tools with their own
> security issues all the time
Technically if doing this then the editing only needs to be done as
the owner of the copies and it's the process of copying them back that
requires root permission on the target machine
technically i prefer using my "rsync.sh" for any file operations
just to be sure all permissions, extended attributes and so on are
correct, /etc/passwd and /etc/groups have the same IDs everywhere
[root@buildserver:~]$ cat /usr/local/bin/rsync.sh
#!/usr/bin/bash
# -z compress
# -t timestamps
# -P progress
# -r recursive
# -l links
# -H hard-links
# -p permissions
# -o owner
# -g group
# -E executability
# -A acls
# -X xtended attributes
# Sicherstellen dass Source UND Target uebergeben wurden
if [ "$1" == "" ] || [ "$2" == "" ] || [
"$1" == "$2" ]; then
echo "USAGE: rsync.sh <source> <target> [bwlimit]"
exit
fi
# Standard-Parameter
RSYNC_PARAMS="--no-motd --force --delete-after --devices --specials
-tPrlpogEAX"
# Wenn in einem der beiden Paramneter ein @ vorkommt Komprimierung
einschalten
# Ansonsten handelt es sich um zwei lokale Ordner und rsync wuerde die
# Daten ohne Sinn komprimieren
if [ `grep '@' <<< "$1"` ] || [ `grep '@' <<<
"$2"` ]; then
RSYNC_PARAMS="--compress --sockopts=SO_SNDBUF=32768,SO_RCVBUF=32768
$RSYNC_PARAMS"
fi
if [ "$3" != "" ]; then
RSYNC_PARAMS="--bwlimit=$3 $RSYNC_PARAMS"
fi
# Eigentliches Kommando ausfuehren
nice -n 19 rsync $RSYNC_PARAMS --rsync-path='nice -n 19 rsync' "$1"
"$2"