[rancid] Checking for root

Alan McKinnon alan.mckinnon at gmail.com
Thu Jun 6 21:36:37 UTC 2013

On 06/06/2013 17:34, heasley wrote:
> Thu, Jun 06, 2013 at 04:57:10PM +0200, Alan McKinnon:
>> On 06/06/2013 16:45, Matthew Walster wrote:
>>> More often than not, people are coming to me with RANCID issues that
>>> have arisen because someone has been impatient and decided to run
>>> rancid-run manually rather than letting the next run initiate manually.
>>> The only problem with that is that they tend to run it as "root" rather
>>> than the rancid user.
>>> Would it be worth putting a check in so that rancid-run script won't run
>>> unless it's as a non-privileged user (or even better, build it into the
>>> automake run to discover the intended final user).
>>> Simple code sample:
>>> if [[ $EUID -eq 0 && $force -ne 1 ]]
>>> then
>>>         echo "Run this as the RANCID user!"
>>>         exit 1
>>> fi
>>> There's a "force" option there, just in case you really did run it as
>>> root, which seems like bad practice to me...
>>> Just a thought!
>> +1
>> I'm all in favour of scripts not letting themselves be run as root. The
>> automake idea is better still, as permissions and ownerships issues from
>> running scripts as the wrong user can be very annoying to track down,
>> and that problem never resolves.
>> Personally, I also always apply this rule forcefully with no recourse:
>> Anyone who abuses the root account loses the root account.
> s/abuses/doesnt know what theyre doing with/
> anyway, i dont care for such checks, i know what my UID is and things that
> think they must protect me from myself are just annoying and its not the
> Unix manner.  but, if folks would like this, i'd be willing to add a check
> that is enabled by a rancid.conf option, which i believe would be sufficient,
> right?

That could work but I'd prefer a build time option, lets the sysadmin
decide what global rules are in play.

It's a concession to reality - rancid is extensively used in corporate
and semi-corporate environments where the sysadmin often doesn't get to
decide who the other users are. Lesser of two evils - bend TheUnixWay a
little, or have to deal with chown a lot

Alan McKinnon
alan.mckinnon at gmail.com

More information about the Rancid-discuss mailing list