user-permissions questions - Page 1

strugee

Asked: 2013-04-06 00:40:12 +0800 CST

Why shouldn't you let developers near root passwords? [duplicate]

24

I just came across Something is burning in the server room; how can I quickly identify what it is?. In the comments I found the following quote:

you don't let a developer anywhere near your root passwords

As a developer but also someone very interested in sysadmin stuff, I'm wondering if there's anything to this phrase more than just the standard for everyone - that is, don't give away passwords? The commentor states this as though it's fairly common knowledge in the sysadmin community. Is it?

davidscolgan

Asked: 2012-03-29 18:50:40 +0800 CST

Limit which processes a user can restart with supervisor?

15

I have used supervisor to manage a Gunicorn process running a Django site, though this question could pertain to anything being managed by supervisor. Previously I was the only person managing and using our server, and supervisor just ran as root and I would use sudo to run supervisorctl restart myapp when needed.

Now our server has to support multiple users working on different sites, and each project needs to be able to restart their own gunicorn processes without being able to restart other users' processes.

I followed this blog post:

http://drumcoder.co.uk/blog/2010/nov/24/running-supervisorctl-non-root/

and was able to allow non-root users to use supervisorctl, but now anyone can restart anyone else's processes. From the looks of it, supervisor doesn't have a way of doing per-user access control.

Anyone have any ideas on how to allow users to restart only their own processes without root?

EDIT: Some things we've thought about include writing a script owned by root with the suid bit set that contains nothing but supervisorctl restart myapp and putting it in the directory of the user who owns myapp. The internet seems to be saying that such a script is insecure if done wrongly. We also considered writing a custom daemon that listens for commands from specific users and restarts the supervisor process if the user has permission. This idea seems overly complicated if a simpler solution would work.

Luis Fernando Alen

Asked: 2012-02-24 11:13:07 +0800 CST

How does mysql determine the hostname of its clients?

15

I'm trying to create a MySQL user which will only be allowed to connect to the MySQL database from a specific hostname.

grant all on db_name.* to 'user_name'@'appserver-lan.mydomain.com' identified by 'some_passwd'

By checking the user table on the mysql db, I can see that the user was created successfully:

use mysql; select * from user where User='user_name' and Host='appserver-lan.mydomain.com'

or

show grants for 'username'@'appserver-lan.mydomain.com'

The hostname I specified is an alias to an amazon-ec2 name, which when resolved by the AWS DNS servers results in a LAN address:

[root@db_server ~] # host appserver-lan.mydomain.com

appserver-lan.mydomain.com is an alias for ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com has address 10.xxx.xxx.xxx

The problem is that when I try to connect to the database LAN IP from this appserver-lan, I get an access denied error, although the password is correct. The weird thing here is that the hostname showed in the error is not the hostname I had specified when the user was created:

ERROR 1045 (28000): Access denied for user 'user_name'@'appserver.mydomain.com' (using password: YES)

So, my question is: how does mysql determines the client hostname? I believe it doesn't do so by a reverse DNS lookup, since I checked and it does not point to "appserver.mydomain.com" neither to "appserver-lan.mydomain.com". Additionally, the db server has no entries related to the appserver on /etc/hosts.

Summarizing, I'm pretty sure it's a hostname resolution issue, since granting privileges for host "%" or to the LAN IP works just fine.

Any ideas of what I'm missing?

user82250

Asked: 2011-11-22 10:14:59 +0800 CST

Executing a command as a nologin user

60

I've recently set up my server so that my suPHP 'virtual' users can't be logged into by using this article

My issue now is that before when I ran a rake command for my Ruby on Rails application running on the server, I used su to go into www-data and execute the command from there - obviously I can't do that anymore because of the nologin.

So as a root user, how can I execute commands as other user's, even if they are nologin?

Agvorth

Asked: 2009-07-07 13:54:40 +0800 CST

How can I copy MySQL users table from one server to another? [duplicate]

40

I'm setting up up a new MySQL server and I'd like to give it the same set of usernames, allowed hosts, and passwords as an existing server (which is going away).

Would it work to just do a dump of the users table and then load it on the new server?

Is there a better way than that?

Why shouldn't you let developers near root passwords? [duplicate]

Limit which processes a user can restart with supervisor?

How does mysql determine the hostname of its clients?

Executing a command as a nologin user

How can I copy MySQL users table from one server to another? [duplicate]

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?

Questions[user-permissions](server)