using bazaar as root
John Arbash Meinel
john at arbash-meinel.com
Fri Dec 19 22:37:51 GMT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rahul Nabar wrote:
> I was very satisfied with using Bazaar at versioning my own user
> config files and scripts and now I thought about doing the same as
> root for all the system-wide configs.
>
> I went to / and set a * in my .bzrignore.
>
> Then did a "bzr init /" and think I am all set to add and commit
> individual files that I think ought to be version controlled.
>
> Any special caveats while operating as root? I was just a little
> nervous of any security implications etc. I'd rather not break down my
> whole in-production system!
The primary issue is that we don't version the file permissions. We
generally *preserve* them, but if you delete a file completely, and then
use "bzr revert" to bring it back, it will come back based on your
umask. So likely to either be rw-rw-r-- or rw-r--r--- (umask 0002, 0022
respectively).
>
> Besides another difference that I was curious about was this: As
> foouser my .bzr directory gets made in ~foouser/ after a "bzr init ~/"
>
> But as root I did a "bzr init /" and not a "bzr init ~root". I have to
> do this, right? Else it would not version files outside of the /root
> tree. When I do a "bzr add" on a file deep inside a nested dir
> structure how exactly does bzr decide which .bzr directory to update?
>
Correct. bzr will use the closest containing directory. So if you do:
bzr init /
bzr init /path/to/subdir
and then do
bzr add /path/to/subdir/file
it will add it to /path/to/subdir, and not the one in /.
I'll also mention that because of security concerns, some people like to
create a user specifically for this, and then give them write access to
/.bzr/ and everything underneath it.
At that point they usually only need read access to the files that are
to be versioned. And that means they can have more restricted access
than running directly as root. (Note that there are still some files
that people make readable *only* to root, so this doesn't always work.)
John
=:->
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAklMIj8ACgkQJdeBCYSNAAOkGgCfTTb1UQeL6tK/e7ccJuG0Xpb3
E9EAoLOGFBrrLJsV37wIEcb2LK1orfqH
=326P
-----END PGP SIGNATURE-----
More information about the bazaar
mailing list