[CollEc] RePEc Visual

Thomas Krichel krichel at openlib.org
Thu Jun 4 13:02:37 UTC 2020 

  Düben, Christian writes

> You mentioned in yesterday's e-mail that you gave me root
> access. However, I apparently need a password for that.

icanis at darni:~$ ssh root at darni

  Works for me. Am I missing something?  

> The app itself only needs read access. It reads data from the SQL
> database and from other files stored on disk and displays it. The
> scripts generating the data run independently of the app. They
> require read and write access to the database and the directories
> the app uses and are initiated by a scheduling system. Installing
> and updating the app requires more extensive permissions. I need
> full access to Docker and ShinyProxy for that.
>
> How about two accounts? One handles the app and has minor access
> rights. And the other generates the data, controls the Docker images
> and ShinyProxy and has larger access permissions.

  Actually I created another account "collec", then had a nap,
  and deleted it again. I don't see the point of the two accounts. 
  We don't need complicated security, as we have nothing that anybody
  could steal. But if you want to create another user you can do that.

  For reason related to the weather, I am very sleepy at this time. 

> For security reasons I suggest that these accounts can only access
> the new CollEc's database within MariaDB. This prevents any
> repercussions on non-CollEc databases. When setting these permissions
> we should make sure that "LOAD DATA LOCAL INFILE" or " LOAD DATA
> INFILE" are still available. Restricted access apparently tends to
> block these statements which I use to insert large data sets.

  root at darni has access to the mysql root account. To call my
  understanding of mysql security rudimentary would be heaping
  praise on it. 

> Feel free to choose any name you like for the account(s) and the database.

  Kindly consider the following.

  (1) Once a week, I rsync all the /home /etc /var and /root as backup
  to aigtu, except anything that is in a folder called 'opt'.  At this
  time, aigtu is short of space. It's a good idea to move bulky files
  that can be recalculated into folders called opt.  For example, all
  the icanis path data is in a directory called opt, even though it would
  take months to regenerate it. You can do a

  cd /var/lib/mysql
  mkdir -p /var/lib/mysql/opt/foo     
  ln -s opt/foo foo
  cd /var/lib/mysql 

  (2) At server migration time---not imminent for helos and darni,
  both are quite new---I copy all of /home, /root and /var as is. All
  other directories will be dealt with by hand. Thus the change in
  /lib/, proposed by the shiny app installation is problematic because
  it needs to be remembered in a few years time when I migrate.  For
  sudo, just use /etc/sudo/sudoers.d files. They can convienently be
  rsynced at migration time. We operate in a resource-poor environment
  where migrations take place only every few years, so I don't use
  things like docker that are important when you have lots of
  servers. But it pays off to keep things in users' home directories.


-- 

  Cheers,

  Thomas Krichel                  http://openlib.org/home/krichel
                                              skype:thomaskrichel

More information about the CollEc-run mailing list