Am 19.11.2015 um 01:00 schrieb Reindl Harald:
Am 19.11.2015 um 00:57 schrieb Ian Malone:
> On 18 November 2015 at 23:38, Reindl Harald <h.reindl(a)thelounge.net>
> wrote:
>>
>> Am 18.11.2015 um 19:49 schrieb Adam Jackson:
>>> That's kind of a non sequitur. To a first order, there are zero root-
>>> owned files you need to edit routinely. And I feel pretty comfortable
>>> calling any counterexamples bugs that need fixing
>>
>>
>> hopefully all configuration files on your system are root-owned and
>> "routinely" is not black and white because it depens on your use-cases
>>
>> as serveradmin you *routinely* edit root-owned files and *yes* i pull
>> them
>> from 35 machines to a dedicated admin server and open them all
>> together in a
>> GUI editor with tabs to make changes i want to have on all servers
>> while the
>> file itself is machine specific
>>
>> why?
>>
>> because it's much faster than login to each and every machine when i can
>> pull them with a script, edit them centralized and push them back
>> followed
>> by a "distribute-command 'systemctl condrestart
affected-service'"
>> and it
>> saves a ton of overhead for configuration management tools with their
>> own
>> security issues all the time
>
> Technically if doing this then the editing only needs to be done as
> the owner of the copies and it's the process of copying them back that
> requires root permission on the target machine
technically i prefer using my "rsync.sh" for any file operations
just to be sure all permissions, extended attributes and so on are
correct, /etc/passwd and /etc/groups have the same IDs everywhere
that said - i see no valid reason to have sensible configurations of the
whole infrastructure readable by non-root on any machine and on the same
machine etckeeper is running on the folders with the centralized configs