RE: change control via CVS tags

help-cfengine

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: change control via CVS tags

From:	Martin, Jason H
Subject:	RE: change control via CVS tags
Date:	Thu, 13 Oct 2005 11:04:09 -0700

The problem is that root on the CFE master server could bypass all of
that.  I'm confident that there are very straightforward ways to stop
non-CFE-master-root users from wreaking havoc, but then there is the
'root' problem.

I'm thinking that a two-server system under different administrative
domains such that the servers have to agree on the rules and repository
before changes are applied sounds about right.

-Jason Martin

> -----Original Message-----
> From: 
> help-cfengine-bounces+jason.h.martin=cingular.com@gnu.org 
> [mailto:help-cfengine-bounces+jason.h.martin=cingular.com@gnu.
> org] On Behalf Of Jeremy Mates
> Sent: Thursday, October 13, 2005 10:58 AM
> To: help-cfengine@gnu.org
> Subject: change control via CVS tags
> 
> 
> * Martin, Jason H <jason.h.martin@cingular.com>
> > Along the same lines, has anyone implemented a system such 
> that there 
> > is no one person capable of pushing out changes? I'm 
> talking about a 
> > system analogous to the nuclear missile keys that require 2 
> people to 
> > agree to launch.
> 
> One approach would be to store all the configuration under 
> CVS, then use a taginfo script to restrict who can apply tags 
> to a file[1]. This way, anyone with CVS rights could commit 
> files, but only certain people would have tag rights. 
> CFEngine would then pull from CVS only files with a certain 
> tag set[2].
> 
> Some extra logic in the taginfo script might ensure the same 
> person could not both commit and tag the file, though I have 
> not looked at how hard this would be. Linking all this to an 
> approval ticket system for SOX compliance would be even more fun...
> 
> [1] CVSPermissions is close, but uses the directory 
> permissions for tag
>     rights as well: http://sarovar.org/projects/cvspermissions
> 
> [2] stage-from-cvs is one method: http://sial.org/howto/cvs-tips/#s4
> 
> 
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@gnu.org 
> http://lists.gnu.org/mailman/listinfo/help-> cfengine
>

[Prev in Thread]

Current Thread

[Next in Thread]

RE: change control via CVS tags, Martin, Jason H <=
- Re: change control via CVS tags, Jeremy Mates, 2005/10/13
- Re: change control via CVS tags, Chip Seraphine, 2005/10/13
- RE: change control via CVS tags, Martin, Jason H, 2005/10/13
  - Re: change control via CVS tags, Tim Holliefield, 2005/10/14
- RE: change control via CVS tags, Moore, Joe, 2005/10/14

Prev by Date: RE: Tiered admins with cfengine / dual control
Next by Date: Re: change control via CVS tags
Previous by thread: A good location for flag files & on-demand per-user apps
Next by thread: Re: change control via CVS tags
Index(es):
- Date
- Thread