MiniVend Akopia Services
[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date ][Minivend by thread ]

Re: multiuser setup

******    message to minivend-users from mikeh@minivend.com     ******

Quoting mikeh@minivend.com (mikeh@minivend.com):
> Quoting pacman@cqc.com (pacman@cqc.com):
> > We already use gids for actual *group*ing of customers (imagine that, groups
> > being used as they were intended) so an approach based on the
> > one-user-per-group hack isn't going to work.
> > 
> 
> And what is bad? Or incompatible? Is it not simple just to add a new
> series of groups to your /etc/group file?
> 
> user1cat:x:10001:user1,minivend
> user2cat:x:10002:user2,minivend
> 
> What does any of this do to invalidate your current groups? ?? ???
> 
> Remember, a user can be a member of more than one group on any modern
> *NIX. If you set the SGID bit in the directory, group ownership on
> newly-created files becomes automatic, so that is not a concern. I set
> all catalog directories thusly:
> 
> -rw-rw----   1 value    value       35997 Apr 29 10:10 catalog.cfg
> drwxrws---   2 value    value        1024 Apr 25 23:08 config
> -rw-rw----   1 minivend value        3105 May 24 13:11 error.log
> -rw-rw----   1 value    value        3492 May 24 09:58 error.log.gz
> drwxrws---   2 value    value        1024 May 21 00:49 etc
> drwxrws---   8 value    value        2048 May 24 14:13 pages
> drwxrws---   2 value    value        2048 May 24 13:28 products
> drwxrws---   2 value    value        1024 Apr 25 23:16 session
> -rw-rw----   1 minivend value      780385 May 24 21:02 session.gdbm
> drwxrws---   4 value    value        1024 May 23 11:19 tmp
> 

I should mention one other scheme:

-rw----rw-   1 value    users       35997 Apr 29 10:10 catalog.cfg
drwx---rws   2 value    users        1024 Apr 25 23:08 config
-rw----rw-   1 minivend users        3105 May 24 13:11 error.log
-rw----rw-   1 value    users        3492 May 24 09:58 error.log.gz
drwx---rws   2 value    users        1024 May 21 00:49 etc
drwx---rws   8 value    users        2048 May 24 14:13 pages
drwx---rws   2 value    users        2048 May 24 13:28 products
drwx---rws   2 value    users        1024 Apr 25 23:16 session
-rw----rw-   1 minivend users      780385 May 24 21:02 session.gdbm
drwx---rws   4 value    users        1024 May 23 11:19 tmp

This way, all members of group "users" will be denied access to
the files, since the permission assignment is based on the first
match in user, group, and world order.

I don't consider this to be as good, because unless you put your HTTP
server process user (and other daemon/inetd process users) in "users" it has
write access to the directory, but it does otherwise have its advantages.

If you include all users except "minivend" in a group "nonmvend" then
it will be secure, but you must remember to add everyone to that group.

-- 
Mike Heins                          http://www.minivend.com/  ___ 
                                    Internet Robotics        |_ _|____
I don't buy from direct             131 Willow Lane, Floor 2  | ||  _ \
telephone or email marketers.       Oxford, OH  45056         | || |_) |
This makes it hard for              <mikeh@minivend.com>     |___|  _ <
me to find a phone company. ;>      513.523.7621 FAX 7501        |_| \_\
-
To unsubscribe from the list, DO NOT REPLY to this message.  Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list
Search for: Match: Format: Sort by: