| 1 |
On Tue, Dec 16, 2003 at 12:29:02PM -0500 or thereabouts, David Olsen wrote: |
| 2 |
> A (imho) better solution would be to perhaps do a 4750 by default, and give |
| 3 |
> it to a specific group, say "staff" or the like, this way I can add my staff |
| 4 |
> to that particular group once, and not have to muck permissions everytime a |
| 5 |
> new release of traceroute comes out. |
| 6 |
|
| 7 |
Fair enough -- that is another way of looking at it. One of my favorite |
| 8 |
newgroup signatures I've seen is "There are two rules to UNIX |
| 9 |
administration. Rule 1: There is always more than one way to do the same |
| 10 |
thing. Rule 2: Someone thinks that your way is wrong." :) |
| 11 |
|
| 12 |
This is semi-overkill for this specific problem, but one tool for general |
| 13 |
system administration that we use with *extremely* good results is |
| 14 |
cfengine. (http://www.cfengine.org) It allows me to say, "I don't care |
| 15 |
what anyone else says, I always want the permissions of /bin/foo to be 0600 |
| 16 |
and owned by someuser:somegroup" It runs periodically and checks to make |
| 17 |
sure things are as you want them to be. (It does a lot of other nifty |
| 18 |
things, btw -- it's a very powerful, useful tool) |
| 19 |
|
| 20 |
As I said, overkill for this specific solution, but an excellent solution |
| 21 |
for ensuring that your systems, as a whole, are kept in a "known good" |
| 22 |
state, according to your wants and needs, rather than those of the package |
| 23 |
maintainer. And, anyone who knows me knows that I rarely pass up an |
| 24 |
opportunity to promote cfengine. :) |
| 25 |
|
| 26 |
--kurt |
Archives