On running gui applications as root
Reindl Harald
h.reindl at thelounge.net
Thu Nov 19 00:00:23 UTC 2015
Am 19.11.2015 um 00:57 schrieb Ian Malone:
> On 18 November 2015 at 23:38, Reindl Harald <h.reindl at thelounge.net> wrote:
>>
>>
>> Am 18.11.2015 um 19:49 schrieb Adam Jackson:
>>>
>>> On Tue, 2015-11-17 at 17:30 +0000, Andrew Haley wrote:
>>>>
>>>> On 11/02/2015 03:05 PM, Adam Jackson wrote:
>>>>>
>>>>> But, why take the risk exposure, when you could simply not?
>>>>
>>>>
>>>> How else would I edit root-owned files? I don't get it. I mean,
>>>> I guess I could run an editor in a text window, but I don't want to
>>>> do that.
>>>
>>>
>>> That's kind of a non sequitur. To a first order, there are zero root-
>>> owned files you need to edit routinely. And I feel pretty comfortable
>>> calling any counterexamples bugs that need fixing
>>
>>
>> hopefully all configuration files on your system are root-owned and
>> "routinely" is not black and white because it depens on your use-cases
>>
>> as serveradmin you *routinely* edit root-owned files and *yes* i pull them
>> from 35 machines to a dedicated admin server and open them all together in a
>> GUI editor with tabs to make changes i want to have on all servers while the
>> file itself is machine specific
>>
>> why?
>>
>> because it's much faster than login to each and every machine when i can
>> pull them with a script, edit them centralized and push them back followed
>> by a "distribute-command 'systemctl condrestart affected-service'" and it
>> saves a ton of overhead for configuration management tools with their own
>> security issues all the time
>
> Technically if doing this then the editing only needs to be done as
> the owner of the copies and it's the process of copying them back that
> requires root permission on the target machine
technically i prefer using my "rsync.sh" for any file operations
just to be sure all permissions, extended attributes and so on are
correct, /etc/passwd and /etc/groups have the same IDs everywhere
[root at buildserver:~]$ cat /usr/local/bin/rsync.sh
#!/usr/bin/bash
# -z compress
# -t timestamps
# -P progress
# -r recursive
# -l links
# -H hard-links
# -p permissions
# -o owner
# -g group
# -E executability
# -A acls
# -X xtended attributes
# Sicherstellen dass Source UND Target uebergeben wurden
if [ "$1" == "" ] || [ "$2" == "" ] || [ "$1" == "$2" ]; then
echo "USAGE: rsync.sh <source> <target> [bwlimit]"
exit
fi
# Standard-Parameter
RSYNC_PARAMS="--no-motd --force --delete-after --devices --specials
-tPrlpogEAX"
# Wenn in einem der beiden Paramneter ein @ vorkommt Komprimierung
einschalten
# Ansonsten handelt es sich um zwei lokale Ordner und rsync wuerde die
# Daten ohne Sinn komprimieren
if [ `grep '@' <<< "$1"` ] || [ `grep '@' <<< "$2"` ]; then
RSYNC_PARAMS="--compress --sockopts=SO_SNDBUF=32768,SO_RCVBUF=32768
$RSYNC_PARAMS"
fi
if [ "$3" != "" ]; then
RSYNC_PARAMS="--bwlimit=$3 $RSYNC_PARAMS"
fi
# Eigentliches Kommando ausfuehren
nice -n 19 rsync $RSYNC_PARAMS --rsync-path='nice -n 19 rsync' "$1" "$2"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20151119/1e886d79/attachment.sig>
More information about the devel
mailing list