NIS, automounting, Solaris and headaches
Mark Komarinski
mkomarinski at wayga.org
Mon Sep 16 14:39:23 EDT 2002
On Mon, Sep 16, 2002 at 01:25:51PM -0400, pll at lanminds.com wrote:
> In a message dated: Mon, 16 Sep 2002 13:01:02 EDT
> Mark Komarinski said:
>
> >> I'd personally switch over entirely to indirect maps, but be sure to
> >> document WHY directly in the map files. This will help future
> >> administrators who've been accustomed to using direct maps to not make
> >> the mistake of trying to switch back.
> >
> >The researchers used to be the admins of the sytem.
>
> Always a recipe for disaster :) People who are smart enough to figure
> out how to do it, but can't be bothered with doing right because they
> have too much "real" work to do!
>
> I've lost track of the number of environments I've had to clean up
> from this scenario over the years :)
>
> Of course, I consider it a relatively good thing, since it is a sort
> of job security !
Allow me to give (most of) you the heebie-jeebies.
Here's just a few of the problems I've run into so far. Each is bad
in its own way, but it's the combination that makes it worse:
1) RSH is used everywhere. They're behind a firewall, so consider themselves
secure from attack.
2) Relating to #1, root has RSH authority everywhere. I don't have the
actual pw for some of the systems, forcing me to rsh over.
3) SGI boxes that have not had any updates (security or otherwise) in years.
Ditto existing wintel boxes. A few RH Linux boxes that users have installed
too (also no patches installed)
4) If you run out of hard drive space, find a machine (anywhere!) that has
phyiscal space in it, slap in a drive, and NFS-mount it everywhere.
I would guess that about 2/3 of the NFS space available (~1TB) is outside
of a physically-controlled area. NONE of it is protected by RAID, let
alone a UPS. They're at least occasionally backed up.
5) to a backup machine that has one working AIT drive. With a total
capacity of the library of 550GB.
6) Direct maps in autofs. Probably easy in a lot of respects, but a pain
to manage.
7) Did I mention *everything* is maintained via NIS? Only the NIS master
server is in a physically controlled location.
8) Did I mention that IRIX has a really obscure NIS implementation?
9) Hubs and switches abound. Mismatches of full and half duplex
can cause some pretty serious "the network is slow" problems.
So yea, I have some pretty serious job security. If I don't start
strangling people.
-Mark
More information about the gnhlug-discuss
mailing list