Re: Grouping groups

• Previous message: Akira Kitada: "Re: "best practices" on debian"
• In reply to: Colin Watson: "Re: Grouping groups"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Wed, 31 Dec 2003 07:19:14 -0500
To: debian-user@lists.debian.org

On Tue, Dec 30, 2003 at 05:27:43PM +0000, Colin Watson wrote:
> On Tue, Dec 30, 2003 at 11:43:44AM -0500, Stephen Touset wrote:
> > I'm trying to set up a website on a Debian server in which anyone in one
> > group (www-data) can modify all files under /var/www,
>
> Don't use www-data for this. From
> /usr/share/doc/base-passwd/users-and-groups.txt.gz:
>
> Some web servers run as www-data. Web content should not be owned by
> this user, or a compromised web server would be able to rewrite a
> web site. Data written out by web servers, including log files, will
> be owned by www-data.
>
> > but anyone in another specified group (management) can only modify
> > /var/www/updates and /var/www/files.
> >
> > My idea is to create the management group, which will possess read-write
> > capabilities on /var/www/files and /var/www/updates. The most intuitive way
> > to proceed from here would be to specify that www-data "contains" the
> > management group. Thus, anyone of group www-data is also automatically of
> > group management, but anyone in group management is not automatically in
> > www-data. However, I'm not sure if it's possible to specify group
> > inheritances in /etc/groups. Is it possible?
>
> That's not possible in the Unix model of groups, I'm afraid.
>
> > Will I just have to manually add the certain users to www-data and
> > management? Or is there another way.
>
> I think I'd be inclined to hack adduser to automatically add users to
> the content group when you add them to management. Would that work for
> you?
>
> Cheers,
>
> --
> Colin Watson [cjwatson@flatline.org.uk]

Where can I find detailed information about groups, i.e., how to
create them, their usage, etc. The document pointed at by Collin
Watson is great, but too short. Any pointers?
Thanks

-- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

• Previous message: Akira Kitada: "Re: "best practices" on debian"
• In reply to: Colin Watson: "Re: Grouping groups"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages RE: ISA 2004 Connectivity to Internal Web Servers ... Open ISA Server 2004 Admin Console ... Bypass proxy for Web servers in this network ... Sill in Web Browser tab, click Add button to open Add Server window. ... when all internal clients attempt to ... (microsoft.public.isa) Re: SSL Publishing issue (error 500 Target principal name is incorrect - 2146893022) ... servers I have assigned a cert with their internal FQDN and changed the ISA ... > The ISA server uses internal DNS servers to name resolution. ... > exported as PFX and imported onto both web servers and the ISA server. ... (microsoft.public.isa.publishing) Re: Securing web site with redundancy ? ... Load balancing inserts complexity though. ... Securing web site with redundancy? ... If one server goes down the DNS ... My web servers are web servers only, not at all DNS servers ... ... (Security-Basics) Re: ISA 2004: Web Publishing disabling HTTP Compression ... I can't use Server Publishing because I need to publish ... > - Doesn't Cache Compressed Responses ... >> I'm using ISA 2004 and publishing internal web servers using Web ... (microsoft.public.isa.publishing) Free SSL Buddy for Indy/IntraWeb ... SSLBuddy will help you... ... Generate Certificate Requests - SSLBuddy asks you simple, ... certificates suitable for testing secure web servers. ... and key.pem files in the format understood by the server. ... (borland.public.delphi.thirdpartytools.general)