0

I'm responsible for maintaining a series of scripts, the purpose of which is to pull data from an API once a day and update a database. When I took over this role, the scripts were stored in SVN, and once a day a cronjob would run as root, update the svn, and then run the scripts from the svn directory.

Now, I'd like to rework the logic of this set up, switch from root to a service account, etc. I'd like to keep the scripts under version control, but it seems odd to run out of the SVN directory.

What's the best way to arrange this?

Patrick McCarthy
  • 101
  • 1

1 Answers1

0

I think you've already identified the two things that should be changed:

  1. Stop running the scripts as root. There shouldn't be any reason to have to do that, and it creates an easy privilege escalation vulnerability unless only root can write to the scripts. From your description, it sounds as though the only permissions the scripts should need will be to update the SVN tree, and write to the database. So create a dedicated user account for the purpose, and give it just enough permissions to do those two things. Then run the scripts from a cron job owned by that user.

  2. If I understand right, it sounds as though the programs and the data they're pulling are being held in the same SVN repository. I guess that works, but mixing programs and data is bad practice, especially since the programs will be updated only occasionally, while the data are being updated daily. I would separate them into separate SVN repositories.

Andrew Schulman
  • 8,811
  • 21
  • 32
  • 47