[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Deleting lines in a file from configuration files with editfiles
From: |
Berthold Cogel |
Subject: |
Re: Deleting lines in a file from configuration files with editfiles |
Date: |
Fri, 16 Dec 2005 11:26:16 +0100 |
User-agent: |
Mozilla Thunderbird 1.0.6-1.4.1.SL3 (X11/20050721) |
Martin, Jason H wrote:
I believe the authorized_keys file supports comments -- you could have
CFE comment out the offending line.
For security reasons I want to delete the keys so nobody can mess around
with them. And for comments I have to use a predefined statement in my
cfengine files too. A 'CommentLinesMatchingFromFile' is missing but a
'nice to have'.
autorized_keys is only one example where I would like to use this kind
of feature.
One reason is, I want some of my coworkers to do parts of the
configuration, but without the ability to mess arround with my scripts.
And some of my colleagues simly don't want to know how cfengine works.
You don't teach old horses new tricks. :-(
Imagine: You have root login enabled only for authorized keys
(passphrase proteced of course) and the workstation of a colleague is
rooted.
For security reasons you will revoke the keys stored on the hacked
computer on all off your machines. It's not a problem to generate
authorized_keys from scratch, but in some cases you have to be able to
make temporary local modifications without stopping cfengine. And it
would be nice if the colleague can revoke his own key himself.
Another nice feature would be to read the content from multiple files
within a directory for append and delete statements.
If you have several machines with different sets of authorized keys it
would be nice to simply place all keys in one directory and create an
append and a revoke directory for each computer. Now your coworkers
simply symlink the sets of keys they like to use to the machine
directorys without changing the scripts.
authorized_keys is only one example. sudo is another example.
Some of our servers are webservers where the webmasters must be able to
restart their apaches. We don't have the money for full redundancy so we
configured our services to be relocatable (data in AFS). So the sudo
permissions must also be 'relocatable'. even for a colleague that
doesn't know about cfengine.
We have a setup (a kind of debug mode) where we can disable cfengine for
a specific configuration file, a single computer or a group of computers
by defining a class in the configuration. And I can disable cfengine
temorary for a machine by creating a file /etc/cfdebug.
But if I'm not at work, the system still has to be manageable.
Regards,
Berthold