Forum: CFEngine Help Subject: Re: CFEngine Help: Re: Config file where order matters Author: sauer Link to topic: https://cfengine.com/forum/read.php?3,25449,25474#msg-25474
It's drifting off topic, but... I don't use the .d include with sudoers for a couple of reasons. I'm working with tens of thousands of potential rules, and since sudo re-reads the sudoers file on every execution, a whole bunch of files would require a whole bunch of stat and open calls for each execution, resulting in measurably slower execution than just reading one big file. My bigger concern, though, is that I need to make sure that CFEngine is the single authoritative source for all sudo rules. With a single file edit, I just set edit_defaults to empty, and the file only contains what I say should be in there; if a rogue admin adds a rule, it gets stomped on easily. If I use the .d, then it's a tad more difficult to - in a convergent and CFEngine-native way - remove any files which were created outside of my process. I probably should be moving to storing the rules in LDAP, honestly. That would be substantially faster to parse (since it's just a single direct query to an indexed database, rather than reading a file or files, building a table, and a lookup in that table), less prone to errors, and immediately available. But that's more work for later. :) _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
