Beefy Boxes and Bandwidth Generously Provided by pair Networks
Think about Loose Coupling
 
PerlMonks  

Re: Re: Dangerous diamonds!

by Juerd (Abbot)
on May 21, 2003 at 05:43 UTC ( #259643=note: print w/replies, xml ) Need Help??


in reply to Re: Dangerous diamonds!
in thread Dangerous diamonds!

Do you have an example? There is likely a better way of configuring things so that root doesn't have to do the task.

Scripts that clean up after users. System wide /tmp and per-user ~/tmp directories, for example. And scripts that md5sum some user files. Perhaps the smallish log rotator could be run as apache. Let's see, nope, Apache writes its logs as root.

Juerd # { site => 'juerd.nl', plp_site => 'plp.juerd.nl', do_not_use => 'spamtrap' }

Replies are listed 'Best First'.
Re: Re: Re: Dangerous diamonds!
by sauoq (Abbot) on May 21, 2003 at 17:06 UTC
    Scripts that clean up after users. System wide /tmp and per-user ~/tmp directories, for example.

    Make /tmp owned by 'sys' or create a system user for it. You can do the same for ~/tmp directories, just make them group writable by a system group... But really, users should be left to clean up after themselves. Institute quotas if they refuse to do so. Give them access to cron so they can automate cleanup if they like. This has an added benefit; since it is their ~/tmp directory, they should choose how old files should be before they are removed.

    And scripts that md5sum some user files.

    I'm sure there is an easy solution, but its hard to say what it is without more information. Why are you doing it? Which user files? Do you really need a glob to describe them or do they have well-defined names? Is it a service to users that they can be given control of (like cleaning up their ~/tmp dirs?) Can the files in question be group readable?

    Perhaps the smallish log rotator could be run as apache. Let's see, nope, Apache writes its logs as root.

    Out of the numerous ways you can handle that one, I'll point out the easiest: make the logs directory writable only by root. You shouldn't have to do anything because that's the default anyway. Since someone would need root before creating a file with an evil filename in that directory, it would be pointless for them to do so.

    -sauoq
    "My two cents aren't worth a dime.";
    

      Do you really need a glob to describe them or do they have well-defined names?

      No. It's just laziness. I could opendir/readdir/closedir and use three-arg open. But I didn't, because I didn't know -p/-n used two-arg open.

      I'll point out the easiest: make the logs directory writable only by root.

      It already is, but one little bug in Apache could perhaps allow the names to be user-defined. After all, the logs are full of user input.

      Anyhow, it *all* boils down to laziness. I could set up ACLs, of course. It's a matter of convenience. Usually this works out just fine. Too bad this time Perl didn't DWIM.

      Juerd # { site => 'juerd.nl', plp_site => 'plp.juerd.nl', do_not_use => 'spamtrap' }

Re^3: Dangerous diamonds! (sudo)
by Aristotle (Chancellor) on May 21, 2003 at 14:57 UTC
    It is time to learn about sudo, then. Write short scripts that do exactly as much as whatever extended priveleges (root or otherwise) are necessary for, and no more, and give exactly specified users the permission to execute them under another exactly specified account without being asked for a password. Your /etc/sudoers might grow somewhat, but the result is a completely controlled environment.

    Makeshifts last the longest.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://259643]
help
Chatterbox?
[marto]: Wolfsbane , now I'm having flashbacks
[choroba]: Isn't Using PerlPod Creatively rather a meditation?
[choroba]: I don't see a question
[1nickt]: ugh, I stuck my head in the bass bin for 30 seconds on a dare at Ted Nugent at Hammersmith Odeon. Yes, I am 40% deaf now.
[johngg]: My daughter is incredibly jealous of my wife who got to see The Clash at Brixton many years ago. They went to see The Vaccines there recently.
[1nickt]: But the bands are even louder! I saw Spearhead (Michael Franti) at an outdoor show and had to walk a mile away to not feel pain in my chest! Babies were crying ... I asked the sound engineer why it was necessary to have the bass so loud and he laughed...
[Discipulus]: but the best i attended live was Mano Negra Patchanka at Forte Prenestino .. in 1990

How do I use this? | Other CB clients
Other Users?
Others imbibing at the Monastery: (9)
As of 2017-03-24 12:13 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Should Pluto Get Its Planethood Back?



    Results (301 votes). Check out past polls.