[ On Thursday, April 28, 2005 at 09:59:05 (+0100), Brian Candler wrote: ]
> Subject: Re: [exim] Exim Performance / Server Performance
>
> On Thu, Apr 28, 2005 at 03:49:29AM -0400, Greg A. Woods wrote:
> > Finally it's also trivial to write a little script that can be called
> > from cron every half hour or so to pull a list of valid accounts from
> > any SQL based database server and transform it into the standard system
> > password file. (though it's easier to write it in python or ruby, even
> > if much more expensive to run, than it is to write it in plain sh + awk :-)
>
> Yeah, and you have to be damned sure that you've done a good job, otherwise
> you risk locking yourself out of the system completely.
Actually, no, I don't have any such risk -- I didn't trust the database
hooks that much, so I made sure that local administrative and system
user accounts were guaranteed to always be there. It's really not that
difficult to do this safely, securely, and efficiently.
> You may choose to build your systems like that. But many of us choose to
> build our systems using a *separate* authentication database for our users,
> not messing with the system password file.
Your decision, obviously, but clearly you face infinitely more risks
(both security and reliability) and suffer greatly from far more
unnecessary overhead than my systems do. Waste-not, want-not. ;-)
--
Greg A. Woods
H:+1 416 218-0098 W:+1 416 489-5852 x122 VE3TCP RoboHack <woods@???>
Planix, Inc. <woods@???> Secrets of the Weird <woods@???>