QOTD: "Editing a file in /etc directly 'by hand' should be an obscure art done to teach internals or to scare children on halloween."
-----Original Message----- From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org] On Behalf Of Tom Limoncelli Sent: Monday, April 22, 2013 10:36 AM To: Edward Ned Harvey (lopser) Cc: t...@lopsa.org Subject: Re: [lopsa-tech] Version controlling permission sensitive files On Mon, Apr 22, 2013 at 10:01 AM, Edward Ned Harvey (lopser) <lop...@nedharvey.com> wrote: >> From: tech-boun...@lists.lopsa.org >> [mailto:tech-boun...@lists.lopsa.org] >> On Behalf Of Dave Close >> >> Ned Harvey wrote: >> >> >Question is: What do you use to version control permission >> >sensitive files? >> >> What's the matter with the old tried-and-true RCS? It keeps both >> permissions and time stamps just fine. > > It's been a long time since I used RCS, but as I recall: RCS is a predecessor to CVS. They are both file-based, which makes it difficult to see "the following three cert files were all updated at the same time, coinciding with changes to the following httpd config files." But that's just one missing component; I think it also uses a .rcs subdirectory (or something) which, as Brian pointed out, wreaks havoc on things like modprobe.d, so you either have to specify a non-recursive version change (and experimentally discover what other directories you need to exclude) or ... Well ... there isn't much other alternative. > If you use RCS, use this perl script as a wrapper around your editor: http://www.nightcoder.com/code/xed/ to save a lot of time. "xed $file" will lock the file, call your favorite editor, and when you are done unlock and check in the file. If you get in the habit of using it, eventually all your important files will be kept under RCS. Since it locks the file, two people can't accidentally edit the same file at the same time. I love using it on my personal (toy) servers that I give friends root access on. It even detects if a file was edited without "xed", which has proven very useful. Version Control, Snapshots and Configuration Management are very different things. This thread has conflated them a bit. Each is separate and has its own utility. I use xed for version control of individual files so I can track who did what and when. I use tarsnap for backups so I can track the history of the partition, not just the files I intentionally modify. My personal machines are just toys so I don't use configuration management on them. The real issue here is that we manage machines wrong. The fact that sysadmins say things like, "if I had more than a few machines I'd set up Puppet/Chef/CfEngine" should be considered a bug. We should be using configuration management as the default. Everything should be done via CM. Software packages should come with plug-ins that expand the CM verbs/nouns so they can be managed. GUI front-ends should just manipulate the databases that drive our CM systems. Editing a file in /etc directly "by hand" should be an obscure art done to teach internals or to scare children on halloween. Sadly Unix isn't built like that (today) but that's where we should be aiming. Tom -- Skype: YesThatTom -- GTalk and GooglePlus: t...@whatexit.org Blog: http://EverythingSysadmin.com Videos: http://www.TomOnTime.com _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/ _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
