I know that I am coming into the conversation a bit late, but after reading the thread, I thought that I would offer up a few comments for consideration.
Running scripts and applications as the 'root' user on any *nix platform is just plain poor policy. First, the script or application is violating the 'minimal priviledge' rule, in which applications are given only what they absolutely need to do what they have to do. Secondly, if applications and scripts are installed and run with elevated permissions in 'system' directories, such as /usr, /opt or /lib, then the person who did the installation really needs to take a moment of pause and rethink what they are doing. Now there are some very good reasons for this, not the least of which is maintainability and system recovery. Basically, this practices makes maintaining a server a bear because the directories are not - well - 'pure' as they should be. The box - and this can be argued until blue in the face - becomes a sandbox with junk in places where it should not be. Simliarly, there are other issues. For example, what happens if your AR System server is running as root, and a developer or contracter that is leaked-off at the organization decides to run a script that modifies something in /etc or perhaps delete some sort of other application? I've busted people for changing file permissions like that in the past. Likwise, sometimes admins - and I don't know what they are thinking when they do this because it doesn't seem to make sense - place passwords into environmentals that the application uses. Getting a password for an account is as simple as '/bin/set > /tmp/env.txt.' Finally, all non-standard applications on a *nix box should be run as a non-priviledged user, in a non-standard, non-system group. There is no need to allow anything else, especially when considering that 'sudo' is available if you need it. (Swap out ports lower than 1024 and your fine.) Using sudo keeps the password (if your using password authentication) from being transmitted in the clear over the network, and is means or recording who uses it for documentation and audit purposes. The bottom line is that any installation of any non-standard application on a *nix box should be into a non-system directory (I usually recommend /apps or /orgname) and have any logs that they generate written to some directory there under (/apps/logs, or /orgname/logs) if possible. Likewise, there should be nothing - except symlinks if required in the /etc directory (where the AR System likes dumping its configs). Installations which follow those simple rules are very easy to backup and restore, can be installed on a non-local disk (san, nas, or just plain ol' NFS mount) and are vastly easier to recover because no special directories are used, nor are permissions. Offered up constructively... -- Will Du Chene [EMAIL PROTECTED] http://www.myspace.com/wduchene _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
