[opensuse] public_html security
13.1 Hi We've a php script which writes to the users public_html folders, so wwwrun needs w. I used setfacl to grant the write. The alternative is to stick it in the db. I'd prefer the former. Any problems with that? Thanks -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 23/03/14 17:26, lynn escribió:
13.1 Hi We've a php script which writes to the users public_html folders, so wwwrun needs w. I used setfacl to grant the write. The alternative is to stick it in the db. I'd prefer the former. Any problems with that? Thanks
what kind of data is it and in what format is stored in the case of using a database ? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, 2014-03-23 at 18:47 -0300, Cristian Rodríguez wrote:
El 23/03/14 17:26, lynn escribió:
13.1 Hi We've a php script which writes to the users public_html folders, so wwwrun needs w. I used setfacl to grant the write. The alternative is to stick it in the db. I'd prefer the former. Any problems with that? Thanks
what kind of data is it and in what format is stored in the case of using a database ?
e.g. php: shell_exec('sh h.sh'); $list= file_get_contents('s.txt'); echo nl2br($list); h.sh: #!/bin/bash ls -l > s.txt don't want to do: ... $query = "INSERT INTO testing (results) VALUES('$list')"; ... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 23/03/14 19:20, lynn escribió:
On Sun, 2014-03-23 at 18:47 -0300, Cristian Rodríguez wrote:
El 23/03/14 17:26, lynn escribió:
13.1 Hi We've a php script which writes to the users public_html folders, so wwwrun needs w. I used setfacl to grant the write. The alternative is to stick it in the db. I'd prefer the former. Any problems with that? Thanks
what kind of data is it and in what format is stored in the case of using a database ?
e.g. php: shell_exec('sh h.sh'); $list= file_get_contents('s.txt'); echo nl2br($list);
h.sh: #!/bin/bash ls -l > s.txt
don't want to do: ... $query = "INSERT INTO testing (results) VALUES('$list')"; ...
Hoping that is not the actual code of the application.. place the writeable part in a subdirectory in public_html.. not in public_html itself. Assuming this app can be modified, it is better to store data in a directory that is not accessible for the public. ps: execution of programs using shell_exec or other functions in PHP apart from being crazy, slow and almost always insecure, unless extreme care is taken, will probably not work correctly in a number of scenarios when PHP is running an as apache module, it has been broken for a quite a while (aprox since 2009) and no one is going to fix it. I strongly recommend you to use PHP FPM instead of the apache module. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 14-03-23 08:39 PM, Cristian Rodríguez wrote:
El 23/03/14 19:20, lynn escribió:
On Sun, 2014-03-23 at 18:47 -0300, Cristian Rodríguez wrote:
El 23/03/14 17:26, lynn escribió:
13.1 Hi We've a php script which writes to the users public_html folders, so wwwrun needs w. I used setfacl to grant the write. The alternative is to stick it in the db. I'd prefer the former. Any problems with that? Thanks
what kind of data is it and in what format is stored in the case of using a database ?
e.g. php: shell_exec('sh h.sh'); $list= file_get_contents('s.txt'); echo nl2br($list);
h.sh: #!/bin/bash ls -l > s.txt
don't want to do: ... $query = "INSERT INTO testing (results) VALUES('$list')"; ...
Hoping that is not the actual code of the application.. place the writeable part in a subdirectory in public_html.. not in public_html itself.
Assuming this app can be modified, it is better to store data in a directory that is not accessible for the public.
ps: execution of programs using shell_exec or other functions in PHP apart from being crazy, slow and almost always insecure, unless extreme care is taken, will probably not work correctly in a number of scenarios when PHP is running an as apache module, it has been broken for a quite a while (aprox since 2009) and no one is going to fix it.
I strongly recommend you to use PHP FPM instead of the apache module.
Damn! You beat me to it. (Dinner was more important than an immediate response.) I was going to tell her about the insecurity of programs in that manner. More gently, though, than if she were my subordinate. The first time a subordinate suggests doing something like that, they'd be advised to think things through again, but after reading everything they can find on secure programming. The second time it is suggested would not be conducive to a long period working for/with me. Not being a PHP programmer myself, my recommendation is from the perspective of a Perl programmer. I know just barely enough PHP to be dangerous. ;-) Mind you, I DO have a perl script or two that takes input from a user, sanitizes it (validation procedures mostly using regular expressions; but I do the same for anything that needs to be sent to a RDBMS), and then it constructs a PDF file to serve to the user. This, though, is a relatively recent development (as recent as my migration to Linux on some of my development machines), easy on Windows but not so easy on Linux (and I haven't figure out, yet, what I need to do on Linux to get that working properly even though it works flawlessly on Windows). And in my case, the web app user is NEVER a user that is defined for my host, but rather maintained in my RDBMS, in the schema used by my web app. Suggestions as to how to do this on Suse Linux, I assume differently from what I do on Windows, may be helpful to the OP, as one of my obvious needs is that whatever I do must not compromise security (and all access controls ought to be in the configuration file for Apache, rather than .htaccess). What is PHP FPM, and, if I were to create a PHP CGI script, why would I use it (and would I write that code differently than what I ought to do using only PHP with the Apache module)? Cheers, Ted -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 23/03/14 22:04, Ted Byers escribió:
What is PHP FPM.
Esentially is a modern version of php-fastcgi
and, if I were to create a PHP CGI script, why would I use it (and would I write that code differently than what I ought to do using only PHP with the Apache module)?
You do not need to write different code..in principle :-) Why use it..well..where I start.. - It is probably the only thing developers are using and paying attention to. - It allows you more fine granted control of what the scripts can do. - It runs in a memory space separate from the webserver. this is important. if you can compromise the interpreter due to a bug when running as an apache module, you can as well take control of everything running on the apache installation, load nasty modules, alter the webserver process.. oh boy. - It can be integrated with systemd and do all sorts of cool stuff --> https://wiki.php.net/rfc/socketactivation -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 14-03-23 09:37 PM, Cristian Rodríguez wrote:
El 23/03/14 22:04, Ted Byers escribió:
What is PHP FPM.
Esentially is a modern version of php-fastcgi
and, if I were to create a PHP CGI script, why would I use it (and would I write that code differently than what I ought to do using only PHP with the Apache module)?
You do not need to write different code..in principle :-)
Hmmm. the last time I looked at FastCGI (in one case for C++ and in the other for Perl), which admittedly was a while ago, the code needed to be structured differently, with a loop that runs forever, listening for requests, which then invoked the function call appropriate tot eh request (and the content of that function call was basically what would have otherwise been the CGI script), and extra care was required to ensure that request data did not bleed through one request to the next. Do you know, off hand, whether or not WordPress would run properly (and securely) if Apache was configured to execute all PHP code using FPM instead of mod_php? (Or should I ask that on the WordPress forum?)
Why use it..well..where I start..
- It is probably the only thing developers are using and paying attention to.
- It allows you more fine granted control of what the scripts can do.
- It runs in a memory space separate from the webserver. this is important. if you can compromise the interpreter due to a bug when running as an apache module, you can as well take control of everything running on the apache installation, load nasty modules, alter the webserver process.. oh boy.
- It can be integrated with systemd and do all sorts of cool stuff --> https://wiki.php.net/rfc/socketactivation
What is your take on Facebook's Hack with HHVM, as a putative replacement for PHP FPM? Thanks. It looks like I have some investigation to do. Cheers Ted -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 23/03/14 23:26, Ted Byers escribió:
Do you know, off hand, whether or not WordPress would run properly (and securely) if Apache was configured to execute all PHP code using FPM instead of mod_php? (Or should I ask that on the WordPress forum?)
Any common application should work unmodified.
What is your take on Facebook's Hack with HHVM, as a putative replacement for PHP FPM?
Have not looked at this yet. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, 2014-03-24 at 00:29 -0300, Cristian Rodríguez wrote:
El 23/03/14 23:26, Ted Byers escribió:
Do you know, off hand, whether or not WordPress would run properly (and securely) if Apache was configured to execute all PHP code using FPM instead of mod_php? (Or should I ask that on the WordPress forum?)
Any common application should work unmodified.
What is your take on Facebook's Hack with HHVM, as a putative replacement for PHP FPM?
Have not looked at this yet.
13.1 Hi OK, I've installed php fpm. Now, how do I tell apache to drop mod php5 and use fpm instead? Thanks, L -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, 2014-03-24 at 23:31 +0100, lynn wrote:
On Mon, 2014-03-24 at 00:29 -0300, Cristian Rodríguez wrote:
El 23/03/14 23:26, Ted Byers escribió:
Do you know, off hand, whether or not WordPress would run properly (and securely) if Apache was configured to execute all PHP code using FPM instead of mod_php? (Or should I ask that on the WordPress forum?)
Any common application should work unmodified.
What is your take on Facebook's Hack with HHVM, as a putative replacement for PHP FPM?
Have not looked at this yet.
13.1 Hi OK, I've installed php fpm. Now, how do I tell apache to drop mod php5 and use fpm instead? Thanks, L
Is it this? http://www.unixmen.com/install-lamp-server-apache-mariadb-php-opensuse-13-1/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 24/03/14 19:31, lynn escribió:
On Mon, 2014-03-24 at 00:29 -0300, Cristian Rodríguez wrote:
El 23/03/14 23:26, Ted Byers escribió:
Do you know, off hand, whether or not WordPress would run properly (and securely) if Apache was configured to execute all PHP code using FPM instead of mod_php? (Or should I ask that on the WordPress forum?)
Any common application should work unmodified.
What is your take on Facebook's Hack with HHVM, as a putative replacement for PHP FPM?
Have not looked at this yet.
13.1 Hi OK, I've installed php fpm. Now, how do I tell apache to drop mod php5 and use fpm instead? Thanks, L
You have to first find a basic how to configure php-fpm, then you have to disable mod_php using: # a2dismod php5 After that you have enable mod_proxy and mod_proxy_fcgi: # a2enmod proxy proxy_fcgi Then let's assume that php scripts are stored in /srv/www/htdocs add to the apache configuration ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000/srv/www/htdocs/$1 This assumes that php-fpm is running and listening on localhost port 9000. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, 2014-03-24 at 19:49 -0300, Cristian Rodríguez wrote:
El 24/03/14 19:31, lynn escribió:
On Mon, 2014-03-24 at 00:29 -0300, Cristian Rodríguez wrote:
El 23/03/14 23:26, Ted Byers escribió:
Do you know, off hand, whether or not WordPress would run properly (and securely) if Apache was configured to execute all PHP code using FPM instead of mod_php? (Or should I ask that on the WordPress forum?)
Any common application should work unmodified.
What is your take on Facebook's Hack with HHVM, as a putative replacement for PHP FPM?
Have not looked at this yet.
13.1 Hi OK, I've installed php fpm. Now, how do I tell apache to drop mod php5 and use fpm instead? Thanks, L
You have to first find a basic how to configure php-fpm,
OK This does it: http://www.unixmen.com/install-lemp-server-nginx-mariadb-php-fpm-opensuse-13... I lost apache and went with nginx. Not sure whether it can be done with apache on 13.1. You also lose the mod_userdir. There's a regex hack. Will report back if I get it going. Thanks
then you have to disable mod_php using:
# a2dismod php5
After that you have enable mod_proxy and mod_proxy_fcgi:
# a2enmod proxy proxy_fcgi
Then let's assume that php scripts are stored in /srv/www/htdocs
add to the apache configuration
ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000/srv/www/htdocs/$1
This assumes that php-fpm is running and listening on localhost port 9000.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, 2014-03-23 at 22:26 -0400, Ted Byers wrote:
On 14-03-23 09:37 PM, Cristian Rodríguez wrote:
El 23/03/14 22:04, Ted Byers escribió:
What is PHP FPM.
Esentially is a modern version of php-fastcgi
and, if I were to create a PHP CGI script, why would I use it (and would I write that code differently than what I ought to do using only PHP with the Apache module)?
You do not need to write different code..in principle :-)
Hmmm. the last time I looked at FastCGI (in one case for C++ and in the other for Perl), which admittedly was a while ago, the code needed to be structured differently, with a loop that runs forever, listening for requests, which then invoked the function call appropriate tot eh request (and the content of that function call was basically what would have otherwise been the CGI script), and extra care was required to ensure that request data did not bleed through one request to the next.
Hi All the php scripts under our shiny new nginx/php-fpm install run unchanged. We had a struggle with prestashop, but that wasn't with the php code, more the nginx config. HTH L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, 2014-03-23 at 21:39 -0300, Cristian Rodríguez wrote:
El 23/03/14 19:20, lynn escribió:
On Sun, 2014-03-23 at 18:47 -0300, Cristian Rodríguez wrote:
El 23/03/14 17:26, lynn escribió:
13.1 Hi We've a php script which writes to the users public_html folders, so wwwrun needs w. I used setfacl to grant the write. The alternative is to stick it in the db. I'd prefer the former. Any problems with that? Thanks
what kind of data is it and in what format is stored in the case of using a database ?
e.g. php: shell_exec('sh h.sh'); $list= file_get_contents('s.txt'); echo nl2br($list);
h.sh: #!/bin/bash ls -l > s.txt
don't want to do: ... $query = "INSERT INTO testing (results) VALUES('$list')"; ...
Hoping that is not the actual code of the application.. place the writeable part in a subdirectory in public_html.. not in public_html itself.
Assuming this app can be modified, it is better to store data in a directory that is not accessible for the public.
Hi No, I'm not a coder. That's what I did to reproduce the error. I was told that a script wasn't working which I traced to the wwwrun permissions.
ps: execution of programs using shell_exec or other functions in PHP apart from being crazy, slow and almost always insecure, unless extreme care is taken, will probably not work correctly in a number of scenarios when PHP is running an as apache module, it has been broken for a quite a while (aprox since 2009) and no one is going to fix it.
Oh. The call to the shell seems to be working ok in 13.1
I strongly recommend you to use PHP FPM instead of the apache module.
OK. I'm secretly hoping this doesn't get out beyond the intranet. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 14-03-23 09:21 PM, lynn wrote:
El 23/03/14 19:20, lynn escribió:
On Sun, 2014-03-23 at 18:47 -0300, Cristian Rodríguez wrote:
El 23/03/14 17:26, lynn escribió:
13.1 Hi We've a php script which writes to the users public_html folders, so wwwrun needs w. I used setfacl to grant the write. The alternative is to stick it in the db. I'd prefer the former. Any problems with that? Thanks
what kind of data is it and in what format is stored in the case of using a database ?
e.g. php: shell_exec('sh h.sh'); $list= file_get_contents('s.txt'); echo nl2br($list);
h.sh: #!/bin/bash ls -l > s.txt
don't want to do: ... $query = "INSERT INTO testing (results) VALUES('$list')"; ...
Hoping that is not the actual code of the application.. place the writeable part in a subdirectory in public_html.. not in public_html itself.
Assuming this app can be modified, it is better to store data in a directory that is not accessible for the public. Hi No, I'm not a coder. That's what I did to reproduce the error. I was told that a script wasn't working which I traced to the wwwrun
On Sun, 2014-03-23 at 21:39 -0300, Cristian Rodríguez wrote: permissions. Then you probably need to consult an experienced coder.
ps: execution of programs using shell_exec or other functions in PHP apart from being crazy, slow and almost always insecure, unless extreme care is taken, will probably not work correctly in a number of scenarios when PHP is running an as apache module, it has been broken for a quite a while (aprox since 2009) and no one is going to fix it.
Oh. The call to the shell seems to be working ok in 13.1 That can be illusory. Sometimes things seem to work, but then fail in odd ways when put to the test..
I strongly recommend you to use PHP FPM instead of the apache module.
OK. I'm secretly hoping this doesn't get out beyond the intranet.
Now that is just plain wishful thinking. I suggest you find a security expert who can audit your LAN. It only takes one ill-written script, or one mal-configured server, to give a capable hacker full access to everything on your network. Several of my colleagues have been hit because of this (and it wasn't even their own code, but rather code developed by their service provider) and they had to rebuild their systems (on a different service provider) from backups. There is a reason why coders get increasingly paranoid as they gain experience and observe the experience of others. The money spent on a capable security consultant (in-house or not, actually two rather than one: one focussed on systems administration and one focussed on secure coding practices) will save countless headaches and minimize liabilities, down the road. I am by no means a security expert, but I would not hesitate to reach out to talk to one or two when I have the need and a budget for it. Cheers Ted -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, 2014-03-23 at 21:36 -0400, Ted Byers wrote:
On 14-03-23 09:21 PM, lynn wrote:
El 23/03/14 19:20, lynn escribió:
On Sun, 2014-03-23 at 18:47 -0300, Cristian Rodríguez wrote:
El 23/03/14 17:26, lynn escribió:
13.1 Hi We've a php script which writes to the users public_html folders, so wwwrun needs w. I used setfacl to grant the write. The alternative is to stick it in the db. I'd prefer the former. Any problems with that? Thanks
what kind of data is it and in what format is stored in the case of using a database ?
e.g. php: shell_exec('sh h.sh'); $list= file_get_contents('s.txt'); echo nl2br($list);
h.sh: #!/bin/bash ls -l > s.txt
don't want to do: ... $query = "INSERT INTO testing (results) VALUES('$list')"; ...
Hoping that is not the actual code of the application.. place the writeable part in a subdirectory in public_html.. not in public_html itself.
Assuming this app can be modified, it is better to store data in a directory that is not accessible for the public. Hi No, I'm not a coder. That's what I did to reproduce the error. I was told that a script wasn't working which I traced to the wwwrun
On Sun, 2014-03-23 at 21:39 -0300, Cristian Rodríguez wrote: permissions. Then you probably need to consult an experienced coder.
ps: execution of programs using shell_exec or other functions in PHP apart from being crazy, slow and almost always insecure, unless extreme care is taken, will probably not work correctly in a number of scenarios when PHP is running an as apache module, it has been broken for a quite a while (aprox since 2009) and no one is going to fix it.
Oh. The call to the shell seems to be working ok in 13.1 That can be illusory. Sometimes things seem to work, but then fail in odd ways when put to the test..
I strongly recommend you to use PHP FPM instead of the apache module.
OK. I'm secretly hoping this doesn't get out beyond the intranet.
Now that is just plain wishful thinking. I suggest you find a security expert who can audit your LAN. It only takes one ill-written script, or one mal-configured server, to give a capable hacker full access to everything on your network. Several of my colleagues have been hit because of this (and it wasn't even their own code, but rather code developed by their service provider) and they had to rebuild their systems (on a different service provider) from backups. There is a reason why coders get increasingly paranoid as they gain experience and observe the experience of others. The money spent on a capable security consultant (in-house or not, actually two rather than one: one focussed on systems administration and one focussed on secure coding practices) will save countless headaches and minimize liabilities, down the road. I am by no means a security expert, but I would not hesitate to reach out to talk to one or two when I have the need and a budget for it.
Cheers
Ted
Yeah. They do tend to generalise though. We're openSUSE/windows under AD. In Linux, nobody does Kerberos and in windows, nobody does Linux. I suppose one option is a contract with Red Hut Pizza or SuSE. This thread has worked wonders for our security. Thanks. L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 14-03-23 10:04 PM, lynn wrote:
On Sun, 2014-03-23 at 21:36 -0400, Ted Byers wrote:
On 14-03-23 09:21 PM, lynn wrote:
El 23/03/14 19:20, lynn escribió:
On Sun, 2014-03-23 at 18:47 -0300, Cristian Rodríguez wrote:
El 23/03/14 17:26, lynn escribió: > 13.1 > Hi > We've a php script which writes to the users public_html folders, so > wwwrun needs w. I used setfacl to grant the write. The alternative is to > stick it in the db. I'd prefer the former. Any problems with that? > Thanks > > what kind of data is it and in what format is stored in the case of using a database ?
e.g. php: shell_exec('sh h.sh'); $list= file_get_contents('s.txt'); echo nl2br($list);
h.sh: #!/bin/bash ls -l > s.txt
don't want to do: ... $query = "INSERT INTO testing (results) VALUES('$list')"; ...
Hoping that is not the actual code of the application.. place the writeable part in a subdirectory in public_html.. not in public_html itself.
Assuming this app can be modified, it is better to store data in a directory that is not accessible for the public. Hi No, I'm not a coder. That's what I did to reproduce the error. I was told that a script wasn't working which I traced to the wwwrun
On Sun, 2014-03-23 at 21:39 -0300, Cristian Rodríguez wrote: permissions. Then you probably need to consult an experienced coder.
ps: execution of programs using shell_exec or other functions in PHP apart from being crazy, slow and almost always insecure, unless extreme care is taken, will probably not work correctly in a number of scenarios when PHP is running an as apache module, it has been broken for a quite a while (aprox since 2009) and no one is going to fix it.
Oh. The call to the shell seems to be working ok in 13.1 That can be illusory. Sometimes things seem to work, but then fail in odd ways when put to the test..
I strongly recommend you to use PHP FPM instead of the apache module.
OK. I'm secretly hoping this doesn't get out beyond the intranet.
Now that is just plain wishful thinking. I suggest you find a security expert who can audit your LAN. It only takes one ill-written script, or one mal-configured server, to give a capable hacker full access to everything on your network. Several of my colleagues have been hit because of this (and it wasn't even their own code, but rather code developed by their service provider) and they had to rebuild their systems (on a different service provider) from backups. There is a reason why coders get increasingly paranoid as they gain experience and observe the experience of others. The money spent on a capable security consultant (in-house or not, actually two rather than one: one focussed on systems administration and one focussed on secure coding practices) will save countless headaches and minimize liabilities, down the road. I am by no means a security expert, but I would not hesitate to reach out to talk to one or two when I have the need and a budget for it.
Cheers
Ted Yeah. They do tend to generalise though. We're openSUSE/windows under AD. In Linux, nobody does Kerberos and in windows, nobody does Linux. I suppose one option is a contract with Red Hut Pizza or SuSE. This thread has worked wonders for our security. Thanks. L x
Yeah. I have seen that too. But, you realize there are two ways to gain access to capable help: 1) hire it from outside, and 2) develop it in house. In this case, you'd need to hire twice as many outside consultants, basically one team for your Windows boxes and another for your OpenSuse boxes. But, what you can do is take one of your brightest, more senior system administrators and send him or her out for security focussed training, once for openSuse and once for Windows, so you end up with an in house expert in both platforms. And then do the same for one of your brightest, more senior developers. And since the security issues the world faces are constantly changing, you'll have to send them for refreshers at least once a year (and their successors once they near the age where they ought to retire). That might seem to be expensive (and it will become expensive to keep such experts after they have that extra training), but to put that cost into perspective, consider the cost of not doing it and the liabilities that entails. Cheers Ted -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
Cristian Rodríguez -
lynn -
Ted Byers