Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Reading Linux book



On Thu, Mar 27, 2014 at 4:10 PM, Mike Small <smallm at panix.com> wrote:
> Bill Bogstad <bogstad at pobox.com> writes:
>> Some Linux distributions make available a package called etckeeper
>
> From http://git.kitenet.net/?p=etckeeper.git;a=blob_plain;f=README;hb=HEAD
> ...
>     ## security warnings
>
>     First, a big warning: By checking /etc into version control, you are
>     creating a copy of files like /etc/shadow that must remain
>     secret. Anytime you have a copy of a secret file, it becomes more likely
>     that the file contents won't remain secret. etckeeper is careful about
>     file permissions, and will make sure that repositories it sets up don't
>     allow anyone but root to read their contents. However, you *also* must
>     take care when cloning or copying these repositories, not to allow
>     anyone else to see the data.
>
> Hmmm!
>
> Of course for a while I was using plain old git on /etc until it
> dawned on me how incredibly stupid that is.  Now I'm thinking
> config files are better suited to backing up and/or snapshotting
> than version control. VC is not for everything even if it's
> theoretically possible to wrap it in scripts to kludge away the
> problems. Config files, ideally, for the most part, converge
> relatively quickly to a more or less final state don't they?  I
> used to think I wanted to see the history of their evolution but
> it turns out all I want is a copy of what worked.

Security problem solved:

# ls -ld /etc/.git
drwx------ 8 root root 4096 Mar 28 12:53 /etc/.git

Only root can access the repository and root can access the original
files anyway.   This is the default setup when using etckeeper and
git.   I assume etckeeper is smart anough to do the same thing with
other source code control systems, but you should check to be sure.

As for the issue of some files not needing to be tracked this way, I
care more about the possibility that some file won't be tracked that
should have been then some extra files are included.  On any system
with a hard disk, the amount of wasted space is irrelevant.  In any
case, when using git, there is always a .gitignore file which you can
use to eliminate files you don't want to track.   Etckeeper has a
default file for .gitignore, but you can always add additional entries
if you feel you don't want them tracked.

Bill Bogstad



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org