1 |
On Tue, Dec 16, 2003 at 12:29:02PM -0500 or thereabouts, David Olsen wrote: |
2 |
> A (imho) better solution would be to perhaps do a 4750 by default, and give |
3 |
> it to a specific group, say "staff" or the like, this way I can add my staff |
4 |
> to that particular group once, and not have to muck permissions everytime a |
5 |
> new release of traceroute comes out. |
6 |
|
7 |
Fair enough -- that is another way of looking at it. One of my favorite |
8 |
newgroup signatures I've seen is "There are two rules to UNIX |
9 |
administration. Rule 1: There is always more than one way to do the same |
10 |
thing. Rule 2: Someone thinks that your way is wrong." :) |
11 |
|
12 |
This is semi-overkill for this specific problem, but one tool for general |
13 |
system administration that we use with *extremely* good results is |
14 |
cfengine. (http://www.cfengine.org) It allows me to say, "I don't care |
15 |
what anyone else says, I always want the permissions of /bin/foo to be 0600 |
16 |
and owned by someuser:somegroup" It runs periodically and checks to make |
17 |
sure things are as you want them to be. (It does a lot of other nifty |
18 |
things, btw -- it's a very powerful, useful tool) |
19 |
|
20 |
As I said, overkill for this specific solution, but an excellent solution |
21 |
for ensuring that your systems, as a whole, are kept in a "known good" |
22 |
state, according to your wants and needs, rather than those of the package |
23 |
maintainer. And, anyone who knows me knows that I rarely pass up an |
24 |
opportunity to promote cfengine. :) |
25 |
|
26 |
--kurt |