0

Etckeeper is great, but it's not clear from the docs, how to check out a commit or a branch directly in /etc in a secure way. The issue is when you do a check out, git doesn't care about metadata and permissions, and you have to restore them using the etckeeper init command afterwards. It takes them from the .etckeeper file. This means, that until that moment, sensitive information can be exposed and read by all users in the system.

Here's the relevant part of the documentation:

You can use any git commands you like, but do keep in mind that, if you check out a different branch or an old version, git is operating directly on your system's /etc. If you do decide to check out a branch or tag, make sure you run "etckeeper init" again, to get any metadata changes:

git checkout april_first_joke_etc
etckeeper init

And here's from an answer on the etckeeper's forum, which adds to my confusion:

etckeeper init only restores file permissions when run in an existing repository.

Do note that there's a window where files that are supposed to be private may be exposed, depending on your umask, before the permissions are fixed up. So I can't completely recommend doing this.

The question is: would adding a small step of setting umask 077 temporarily before doing the check out suffice?

umask 077
git checkout april_first_joke_etc
etckeeper init
umask 022     # or whatever it was before, or just quit current session
3
  • <rant> Using etckeeper, or any change msnagement system, on the live /etc is a crime against the Tao of System Administratoon</rant>. Do your change management, ownership/protection adjustment in a temporary directory located on the same filesystem, and mv it to /etc when you're pleased with it.
    – waltinator
    Commented Oct 30 at 18:13
  • @waltinator, hmm. Well, how would you do a checkout in a private directory and sync it back to /etc?
    – koddo
    Commented Oct 30 at 18:48
  • @waltinator, I mean, I don't want to move file by file manually, this is error prone. That's exactly why I'd like to use git in /etc. I'm going to do edit it in its clone and then push changes back. And do rollbacks the same way.
    – koddo
    Commented Oct 30 at 18:57

0

You must log in to answer this question.

Browse other questions tagged .