martin f krafft said on Sat, Nov 06, 2004 at 12:30:06PM +0100:
> also sprach Mark Ferlatte <ferlatte@cryptio.net> [2004.11.06.0123 +0100]:
> > Do you really want your user's crontabs to run on every host in your cluster?
>
> They are mounted from master:/srv/var/spool/crontabs/${HOSTNAME}, so
> they are per host.
Okay. I guess my next question is: why do you want your user crontabs NFS
mounted from your clients? Since they are local configs, why not just let them
be local? If you feel that you have to backup your crontabs for each host,
have a cronjob on each host that does a cp -a /var/spool/cron
/mount/master/srv/var/spool/crontabs/$HOSTNAME, or whatever.
This actually closes a security hole; if you are NFS mounting your crons, then
all I have to do is spoof your client's NFS mount (or response) to get cron to
run any command I want as any user on that system.
> One idea I had last night is a crontab wrapper, along with
> a root_squash NFS export. A cron job copies the files from there to
> /var/spool/cron/crontabs as you describe. But when the user calls
> crontab, what happens is that the file is first explicitly copied
> from the NFS mount, then crontab(1) is invoked, and upon exit, the
> user crontab is saved back to the NFS. I think this would work fine,
> don't you think?
Sure, if you want to go that way, a wrapper around crontab is fine.
M
Attachment:
pgpq8I_r6i3Na.pgp
Description: PGP signature