"eddy" == E B Dreger <eddy+public+spam@noc.everquick.net> writes: jm> Date: Wed, 2 Oct 2002 17:48:16 -0700 (PDT) jm> From: just me jm> In an environment where every sysadmin is interchangable, and any jm> one of them can be woken up at 3am to fix the random problem of jm> the day, you tell me how to manage 'sudoers' on 4000 machines. eddy> krb5/ksu Well, no. That's an excellent answer to someone else's question, but krdist would be a better answer to his question. ;-) But the real answer is: The same way you maintain everything else on the same 4000 machines. I assume if you're running 4000 machines you have some cookie-cutter secured baseline OS load that gets installed on them all when they're loaded, and then something like home-grown perl scripts wrapped around rdist or rsync, or a specific tool for the purpose like cfengine or synctree to push out changes and keep them all under control. I would assume that the sudoers file could be pushed out with the same mechanism. Or am I missing some implied complexity in your situation? If the implication is that you have 4000 one-off machines, I retract my next statement. ;-) BTW, I really envy "just me". I have yet to work anywhere where every [insert position here] is actually interchangable. Must be nice. IMHO, Michael
On 2 Oct 2002, Michael Lamoureux wrote: But the real answer is: The same way you maintain everything else on the same 4000 machines. I assume if you're running 4000 machines you have some cookie-cutter secured baseline OS load that gets installed on them all when they're loaded, and then something like home-grown perl scripts wrapped around rdist or rsync, or a specific tool for the purpose like cfengine or synctree to push out changes and keep them all under control. I would assume that the sudoers file could be pushed out with the same mechanism. Or am I missing some implied complexity in your situation? If the implication is that you have 4000 one-off machines, I retract my next statement. ;-) I was assuming a more complex configuration than the wide-open one advocated by Barb, which seems to add little to no security benefit. I'm sorry I wasn't clear on this point; of course pushing out a single file to n machines shouldn't be a problem. BTW, I really envy "just me". I have yet to work anywhere where every [insert position here] is actually interchangable. Must be nice. We're talking best practices here, right? matto --mghali@snark.net------------------------------------------<darwin>< Flowers on the razor wire/I know you're here/We are few/And far between/I was thinking about her skin/Love is a many splintered thing/Don't be afraid now/Just walk on in. #include <disclaim.h>
participants (2)
-
just me
-
Michael Lamoureux