Gentoo Archives: gentoo-security

From: Kurt Lieber <klieber@g.o>
To: David Olsen <do@×××××××.com>
Cc: gentoo-security@g.o
Subject: Re: [gentoo-security] Changes to traceroute in newest release
Date: Tue, 16 Dec 2003 11:39:28
Message-Id: 20031216173759.GJ13122@mail.lieber.org
In Reply to: Re: [gentoo-security] Changes to traceroute in newest release by David Olsen
On Tue, Dec 16, 2003 at 12:29:02PM -0500 or thereabouts, David Olsen wrote:
> A (imho) better solution would be to perhaps do a 4750 by default, and give > it to a specific group, say "staff" or the like, this way I can add my staff > to that particular group once, and not have to muck permissions everytime a > new release of traceroute comes out.
Fair enough -- that is another way of looking at it. One of my favorite newgroup signatures I've seen is "There are two rules to UNIX administration. Rule 1: There is always more than one way to do the same thing. Rule 2: Someone thinks that your way is wrong." :) This is semi-overkill for this specific problem, but one tool for general system administration that we use with *extremely* good results is cfengine. (http://www.cfengine.org) It allows me to say, "I don't care what anyone else says, I always want the permissions of /bin/foo to be 0600 and owned by someuser:somegroup" It runs periodically and checks to make sure things are as you want them to be. (It does a lot of other nifty things, btw -- it's a very powerful, useful tool) As I said, overkill for this specific solution, but an excellent solution for ensuring that your systems, as a whole, are kept in a "known good" state, according to your wants and needs, rather than those of the package maintainer. And, anyone who knows me knows that I rarely pass up an opportunity to promote cfengine. :) --kurt

Replies

Subject Author
Re: [gentoo-security] Changes to traceroute in newest release Lance Albertson <ramereth@g.o>