Re: Using GIT to store /etc (Or: How to make GIT store all file permission bits)

[Jakub Narebski <jnareb@gmail.com>]

Kyle Moffett wrote:
> On Dec 10, 2006, at 10:30:00, Jakub Narebski wrote:
>> Jeff Garzik wrote:
>>>
>>> I actively use git to version, store and distribute an exim mail  
>>> configuration across six servers.  So far my solution has been a  
>>> 'fix perms' script, or using the file perm checking capabilities  
>>> of cfengine.
>>
>> Fix perms' script used on a checkout hook is a best idea I think.
> 
> Hmm, unfortunately that has problems with security-related race  
> conditions when used directly for /etc.  Think about what happens  
> with "/etc/shadow" in that case, for example.  (/etc/.git is of  
> course 0700)  I'm sure there are others where non-root daemons get  
> unhappy when they get an inotify event and their config files have  
> suddenly become root:root:0600.  I also want to be able to "cd /etc  
> && git status" to see what changed after running "apt-get update" or  
> maybe fiddling in SWAT or webmin, so a makefile which installs into / 
> etc won't quite solve it either.  It would also be nice to see when  
> things change the permissions on files in /etc, or even bind-mount an  
> append-only volume over /etc/.git/objects to provide additional data  
> security.

The idea is to not store /etc in git directly, but use import/export
scripts, which for example saves permissions and ownership in some
file also tracked by git on import, and restores correct permissions
on export. That is what I remember from this discussion. This of course
means that you would have to write your own porcelain...

What about mentioned in other email IsiSetup?

-- 
Jakub Narebski
Warsaw, Poland