LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   Central management (https://www.linuxquestions.org/questions/linux-software-2/central-management-737797/)

earlysame55 07-05-2009 02:40 AM
Central management
 
Dear all,

Please recommend some methods of:

-Deploy some files
-Execute some scripts as root

in few hundred servers. Just can't think of the best way of doing it. These are RHEL servers but we have different releases.

Thanks in advance.

Tinkster 07-05-2009 04:17 AM
cluster ssh?
RedHat satellite server?

earlysame55 07-05-2009 06:37 AM
Thanks Tinkster,

Clusterssh, should be the one. But any idea whether it could be scripted to execute some commands as root on a bunch. I cannot do a ssh key exchange for root.

Cheers!!

cmdln 07-05-2009 08:11 AM
Quote:
Originally Posted by Tinkster (Post 3597150)
cluster ssh?
RedHat satellite server?
There is also puppet, and cfengine.

Tinkster 07-05-2009 05:17 PM
Quote:
Originally Posted by earlysame55 (Post 3597239)
Thanks Tinkster,

Clusterssh, should be the one. But any idea whether it could be scripted to execute some commands as root on a bunch. I cannot do a ssh key exchange for root.

Cheers!!
You don't need to, as long as there's a remote user who can sudo
either w/o password, or with the same password on all clients.

The beauty of clusterssh is that you can do the "same interactive
command simultaneously on all machines" (of course, that's a danger,
too, if you fat-finger something and e.g. break networking on all
of them in one fell swoop)...



Cheers,
Tink

earlysame55 07-05-2009 11:10 PM
Thanks cmdln and Tink,

Tink, I don't mind having the root password in a file and feed it into a script, delete it after the activity is done. When i configure sudo, that user will have access to run any script with the name given in the sudoers file. Security guys will not be happy with that isn't it?. What do you think?

All other apps life cfengine, puppet, etc. They need to have a agen running on the clients am i right?. Is it possible for me to push a script and execute them as root in these?.

cheers,

Tinkster 07-05-2009 11:46 PM
Quote:
Originally Posted by earlysame55 (Post 3597975)
Thanks cmdln and Tink,

Tink, I don't mind having the root password in a file and feed it into a script, delete it after the activity is done. When i configure sudo, that user will have access to run any script with the name given in the sudoers file.
Who said? That's certainly not how sudo is normally implemented.
sudo will execute the binary given with full path in sudoers file
if it happens to be in the search PATH of the user. He will not
be able to e.g. make a script called if-down-eth0 in his home and
run that using sudo.

Quote:
Originally Posted by earlysame55 (Post 3597975)
Security guys will not be happy with that isn't it?. What do you think?
No, they wouldn't. Thank the Lord for coders with some brains, though.



Cheers,
Tink

earlysame55 07-07-2009 02:00 AM
Tinkster,

Consider the follwoing:

user1 pluto=NOPASSWD : /home/user1/runitnow

The above line means user1 could run the /home/user1/runitnow without any password as root. Am i right ?
Then when this script exists, anyone can run any set of commands as /home/user1/runitnow the script without a problem. This is what i want to stop.

Cheers

Tinkster 07-07-2009 04:08 AM
Well... don't put scripts you need to run as root
in users homes, then. Simple as that. Put them
in a shared location like /usr/local/scripts, make
sure that neither the directory nor the script are
world-writable (and that the script is safe, e.g.
won't allow the user to interrupt it and end up on
a root shell; scripts and sudo are a bit of a mixed
bag .... ).



Cheers,
Tink


All times are GMT -5. The time now is 04:52 PM.