private servers sharing common root
Fabio FZero
fabio.fzero-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Fri Jun 25 12:43:57 UTC 2010
On Thu, Jun 24, 2010 at 20:37, Christopher Browne <cbbrowne-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
(...)
> Yes, keys provide *some* security, however, if you log in directly as
> root, there's no identification of who was doing that.
Correct. I think the best practice would be users with just the right
amount of privileges. Some group tweakings could do the trick.
>> Anyway, depending on what you want to do, putting your config files
>> and scripts under version control could be a good solution. When
>> anything needs to be changed, just alter the files, push them to the
>> repo and pull everything back on all servers (I don't know if this is
>> what Chris was talking about -- I didn't have time to look at the
>> articles).
>
> What you're pulling from is less important than that you're pulling.
>
> Code folk have a liking for using SCMs as the thing to pull from.
Yes, it has the added advantage of being able to go back quickly if
something blows up. I used to manage a server farm where the sensitive
files were on Subversion. It was a relief being able to change Apache
configs and just run a script making dozens of servers update and
reload the settings at once!
> But again, the point is that how you pull, or where you pull from, is
> much less important than that the servers pull from places they
> intentionally trust as sources. That makes a lot of challenges (e.g.
> - in negotiating incoming connections securely) go away, and when the
> servers serve themselves, you run rather less risk of forgetting to
> fix one of them.
This paragraph should be framed.
- FZ
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list