[rancid] Securing RANCID installation

Howard Jones howie at thingy.com
Tue Dec 16 15:10:32 UTC 2014

On 16/12/2014 14:43, Jason Humes wrote:
> Hi
> Are there are tips or best practices for securing a RANCID installation...the clogin files, the backed up configs, etc.
> Thanks for any advice! :)
Don't tell anyone the account password who you don't trust! :-) 
Seriously, it's a bunch of scripts that run as a single non-privileged 
user, producing files owned by that user. Run everything as a dedicated 
'rancid' user, and basic Unix file permissions will take care of that. 
Your most likely information leak is the diff e-mails.

If you have a web UI for it, that's a whole different story, but that's 
not really part of RANCID either. We use mod_authnz_ldap against our AD, 
mod_python, mod_ssl and viewvc pointed to the RANCID svn files, and that 
seems to work well enough - you need to modify the group permissions for 
the svn files so that a group that apache and rancid both belong to can 
read them. Using AD (or individual htpasswd accounts) means we get audit 
logs of who accessed what in the webserver access logs.



More information about the Rancid-discuss mailing list