comments in /eetc/passwd and group

Eric Shubert ejs at shubes.net
Thu Feb 4 12:30:08 MST 2010 

If you end up having to add comments to a passwd file, my best advice is 
to CYA. Chances are pretty good that doing so will come back to bite.

I take it you're not at liberty to explain what the problem is this will 
allegedly solve.

Shawn Badger wrote:
> I am the primary sys admin of the box, but the problem is that there is 
> other sys admins that say I have to do things this way, I am trying to 
> say we need to be doing it this way.
> I would love to say that will be done my way, but without some sort of 
> justifcation as to whe this way is better than that way I can't get them 
> to change.
> 
> I'm sure I'm not the only one that has had to play these office politics 
> games before to get some one else to come to see what the current best 
> practices are. Yes, it is sad that you have to do these things, but that 
> is the world I work in.
> 
> 
> 
> On Thu, Feb 4, 2010 at 11:37 AM, Eric Shubert <ejs at shubes.net 
> <mailto:ejs at shubes.net>> wrote:
> 
>     If you're the sysadmin for the host, then you should call the shots, and
>     do what you think best. When the system breaks as a result of doing
>     this, whose neck is on the line?
> 
>     How did they get the idea that someone could edit this file, let alone
>     put comments in it? It's a rather absurd idea imo.
> 
>     I think this is probably simply the wrong solution to some problem. I
>     don't believe you've told us what the problem is. If you do, perhaps
>     someone here would think of a more appropriate solution.
> 
>     Shawn Badger wrote:
>      > I agree that editing them by hand is a very bad idea, but I have some
>      > people that insist on it and they above me in the Org chart.
>      >
>      > That being said some of those people want to include comments and
>     such
>      > in the files. I can not how ever just say no that is a stupid idea
>      > without first having something to say why that is a stupid idea.
>      >
>      > I am working on the comments and blank lines first and then after
>     they
>      > get used to that I can work on the hand editing portion, but for
>     now I
>      > just need something solid other than poor practice.
>      >
>      >
>      >
>      > On Thu, Feb 4, 2010 at 10:46 AM, Craig White
>     <craigwhite at azapple.com <mailto:craigwhite at azapple.com>
>      > <mailto:craigwhite at azapple.com <mailto:craigwhite at azapple.com>>>
>     wrote:
>      >
>      >     On Thu, 2010-02-04 at 10:03 -0700, Shawn Badger wrote:
>      >      > Somebody did mention security to me as well, but when I
>     asked them to
>      >      > elaborate on it they couldn't.
>      >      > I agree you can maintain a separate file for the comments,
>     but I am
>      >      > looking for something that would say if you have blank
>     line lines in
>      >      > in the /etc/passwd or /etc/group file this can happen. And
>     if you
>      >     have
>      >      > #comments in them this can happen, but so far I have not
>     been able to
>      >      > find anything like that.
>      >      >
>      >      > In order to defend my stance, I need to be able to say
>     this will
>      >      > happen if you do that.
>      >     ----
>      >     It seems to me that beyond...
>      >
>      >     # Do NOT hand edit these files under penalties that might include
>      >     # death, getting your hands chopped off or just termination.
>      >
>      >     seems to be unnecessary as hand editing passwd/group/shadow
>     files is
>      >     fraught with potentially devastating possibilities and so
>     many tools are
>      >     available to handle the job.
>      >
>      >     Not to mention that a system like LDAP is entirely capable of
>     handling
>      >     comments.
>      >
>      >     But in fairness, I think there is a lot of context that you
>     are not
>      >     sharing with us that would probably be meaningful to the
>     discussion.
>      >
>      >     Craig
>      >
>      >
>      >     --
>      >     This message has been scanned for viruses and
>      >     dangerous content by MailScanner, and is
>      >     believed to be clean.
>      >
>      >     ---------------------------------------------------
>      >     PLUG-discuss mailing list -
>     PLUG-discuss at lists.plug.phoenix.az.us
>     <mailto:PLUG-discuss at lists.plug.phoenix.az.us>
>      >     <mailto:PLUG-discuss at lists.plug.phoenix.az.us
>     <mailto:PLUG-discuss at lists.plug.phoenix.az.us>>
>      >     To subscribe, unsubscribe, or to change your mail settings:
>      >     http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>      >
>      >
> 
> 
>     --
>     -Eric 'shubes'
> 
>     ---------------------------------------------------
>     PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>     <mailto:PLUG-discuss at lists.plug.phoenix.az.us>
>     To subscribe, unsubscribe, or to change your mail settings:
>     http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> 
> 


-- 
-Eric 'shubes'

More information about the PLUG-discuss mailing list