[Spacewalk-list] how to block yum usage on client systems
Musayev, Ilya
imusayev at webmd.net
Thu Jun 7 02:57:04 UTC 2012
My issues is identical to yours.
I'm afraid to give users YUM access as they will begin Installing stuff left and right, bypassing the other system we use for package deployment - HP SA (aka Opsware).
Here is how I'm thinking of addressing it. If devel folks can chime in, i would appreciate it. I would need to download yum source and do either one of three:
Create a plugin for yum that will check if host is locked in spacewalk, if it is, don't do any yum operations.
OR
Modify the RHN plugin for YUM
OR
Easiest but not the cleanest, get yum source code, add a function to check if host is locked in spacewalk via API (pre-main), if it is, exit, if not, proceed.
OR
Totally ghetto approach which will take few hours atmost, create a bash wrapper script for YUM that will check if host is locked via spacewalk API(tiny bit of python involved), if yes, exit. If not, pass all arguments and execute real yum executable.
My python skills are still in it's early ages, if someone can lend a hand, I would appreciate it. If not, I will write what I can - albeit it will stand out from the rest of the code.
Any input is appreciated,
Thanks
Ilya
On Jun 6, 2012, at 6:39 PM, "rhn-satellite at epperson.homelinux.net" <rhn-satellite at epperson.homelinux.net> wrote:
> On Wed, June 6, 2012 16:17, Brian Collins wrote:
>>> Thanks Mirek,
>>>
>>> Any other options?
>>>
>>> Unfortunately it is root.
>> []
>>
>> What are you trying to accomplish? Anyone who logs in as root already has
>> enough power to do plenty of damage. If you are managing clients through
>> spacewalk, you can deny them access to packages you don't want them to
>> have. And while root can circumvent that through creative means, it would
>> be troublesome for them to do so.
>>
>
> Don't know about OP's situation, but ours is that we have clone channels
> with only security errata in them as far as errata go, but have to have up
> to date packages so the errata package dependencies can be satisfied.
> That also permits updating selected packages (or all) for a system without
> changing base channel for the system. We have SLAs that require
> application of security errata, but in general we do not otherwise update
> systems because of the risk of breaking something in the customer
> application layers (yes, a security erratum could also do that, but we're
> exempt from the SLA in that circumstance).
>
> It's not practical to blacklist lists of packages, but it's desirable not
> to have exposure of someone doing a full yum update without understanding
> the consequences. We have policy against it, and said "someone" could get
> fired, but we'd still be on the hook for a severity 1 or 2 incident.
>
>
>
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
>
More information about the Spacewalk-list
mailing list