Subject: Re: /etc/security issues
To: NetBSD Userlevel Technical Discussion List <tech-userlevel@netbsd.org>
From: Greg A. Woods <woods@weird.com>
List: tech-userlevel
Date: 05/04/2001 13:24:07
[ On Friday, May 4, 2001 at 10:14:02 (-0400), Andrew Brown wrote: ]
> Subject: Re: /etc/security issues
>
> oh...that. can you suggest as easy way to do that?
Wll, I know exactly *how* to do it. It's not necessarily "easy" no
matter which way you look at it, though the concept is trivial to
understand for anyone familiar with CVS vendor-branch support. :-)
Done correctly it will indeed make upgrades highly automatable and
remove the need for leaving dregs in /etc.old or whatever.
The trick is to ensure that the original distribution version of every
file be checked in on the "vendor" branch of the /var/backups
Note that you can't easily use CVS itself without introducing a whole
lot of additional complexity and perhaps even more security problems
too. In addition the vendor-branch support in CVS isn't exactly what's
needed either -- this mechanism has to be more explicit to allow more
flexible merging policies. Of course using CVS itself is rather
unnecessary in any case as the same techniques are trivial to apply with
the basic RCS commands, especially when in effect we're operating on a
file-by-file basis for these files.
> please note that the rcs backups mechanism doesn't change the tags
> from the released files, so you could just compare the file you've
> currently got with the released file of the same number.
Depending on the tags is silly and error prone, and besides it will not
even work at all for files that cannot have comments (eg. /etc/master.passwd).
I currently use a highly modified version of the old "etcud" script
suggested in FreeBSD PR#5147 to merge my /usr/src/etc into /etc, but it
depends only on the RCS tags and it's terribly error prone (but better
than nothing! :-). The FreeBSD folks have their much fancier
"mergemaster" script now, but it's still based on either a straight diff
or on the silly tag trick, and it's still really only designed for
developers or those upgrading from source....
> okay, so it's a bad example. gimme a better one. :P
My canonical example has been when I've got two different web servers
installed and running (on different ports, of course) but both use the
same basename for their config file: httpd.conf.
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods@acm.org> <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>