[Spacewalk-list] how to block yum usage on client systems

Musayev, Ilya imusayev at webmd.net
Thu Jun 7 18:45:31 UTC 2012 

An example, various business units have their own developers/admins that require root on their own servers which run in their own SILOs.

The right way of deploying RPMs in house is through an intermediary utility such as opsware SA. Through that, we can reproduce and keep the state of the box consistent. If the box was to die, a new one comes up online and the same RPMs+configs (via software policy created on opsware) will be installed - end of story - box is ready to be used.

IF we loosen the access now with spacewalk, then rogue elements will take shortcuts and quickly deploy this or that RPM - because its convenient. 

In the long term - not easily reproducible and will create a mess - especially when count of servers is in 1000s.

I agree there are many ways to poke a hole and get around YUM, but restricting YUM via spacewalk - would at least give some piece of mind - knowing - no one deployed and installed something that would not be easily reproducible in the future.

Its a business mindset - i don't disagree with - and i have to work with it.






________________________________________
From: spacewalk-list-bounces at redhat.com [spacewalk-list-bounces at redhat.com] On Behalf Of Brian Collins [brianc at sedata.com]
Sent: Thursday, June 07, 2012 1:48 PM
To: spacewalk-list at redhat.com
Subject: Re: [Spacewalk-list] how to block yum usage on client systems

> My issues is identical to yours.
>
> I'm afraid to give users YUM access as they will begin Installing stuff left and
> right, bypassing the other system we use for package deployment - HP SA
> (aka Opsware).

If they have root, they can also just go grab tarballs, make them, and install them.  Or they can wget pre-built RPMs and install them using 'RPM'.  The real problem is that you have users with root access whom you do not trust.  THAT is the problem to fix.  Either trust them or remove root from them.

Also, what software might they install that you do not want them having?

--Brian Collins

_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list

More information about the Spacewalk-list mailing list