On running gui applications as root
Reindl Harald
h.reindl at thelounge.net
Thu Nov 19 00:02:54 UTC 2015
Am 19.11.2015 um 01:00 schrieb Reindl Harald:
> Am 19.11.2015 um 00:57 schrieb Ian Malone:
>> On 18 November 2015 at 23:38, Reindl Harald <h.reindl at thelounge.net>
>> wrote:
>>>
>>> Am 18.11.2015 um 19:49 schrieb Adam Jackson:
>>>> That's kind of a non sequitur. To a first order, there are zero root-
>>>> owned files you need to edit routinely. And I feel pretty comfortable
>>>> calling any counterexamples bugs that need fixing
>>>
>>>
>>> hopefully all configuration files on your system are root-owned and
>>> "routinely" is not black and white because it depens on your use-cases
>>>
>>> as serveradmin you *routinely* edit root-owned files and *yes* i pull
>>> them
>>> from 35 machines to a dedicated admin server and open them all
>>> together in a
>>> GUI editor with tabs to make changes i want to have on all servers
>>> while the
>>> file itself is machine specific
>>>
>>> why?
>>>
>>> because it's much faster than login to each and every machine when i can
>>> pull them with a script, edit them centralized and push them back
>>> followed
>>> by a "distribute-command 'systemctl condrestart affected-service'"
>>> and it
>>> saves a ton of overhead for configuration management tools with their
>>> own
>>> security issues all the time
>>
>> Technically if doing this then the editing only needs to be done as
>> the owner of the copies and it's the process of copying them back that
>> requires root permission on the target machine
>
> technically i prefer using my "rsync.sh" for any file operations
>
> just to be sure all permissions, extended attributes and so on are
> correct, /etc/passwd and /etc/groups have the same IDs everywhere
that said - i see no valid reason to have sensible configurations of the
whole infrastructure readable by non-root on any machine and on the same
machine etckeeper is running on the folders with the centralized configs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20151119/ae55021c/attachment.sig>
More information about the devel
mailing list