Re: Grouping groups
On Tue, Dec 30, 2003 at 05:27:43PM +0000, Colin Watson wrote:
> On Tue, Dec 30, 2003 at 11:43:44AM -0500, Stephen Touset wrote:
> > I'm trying to set up a website on a Debian server in which anyone in one
> > group (www-data) can modify all files under /var/www,
>
> Don't use www-data for this. From
> /usr/share/doc/base-passwd/users-and-groups.txt.gz:
>
> Some web servers run as www-data. Web content should not be owned by
> this user, or a compromised web server would be able to rewrite a
> web site. Data written out by web servers, including log files, will
> be owned by www-data.
>
> > but anyone in another specified group (management) can only modify
> > /var/www/updates and /var/www/files.
> >
> > My idea is to create the management group, which will possess read-write
> > capabilities on /var/www/files and /var/www/updates. The most intuitive way
> > to proceed from here would be to specify that www-data "contains" the
> > management group. Thus, anyone of group www-data is also automatically of
> > group management, but anyone in group management is not automatically in
> > www-data. However, I'm not sure if it's possible to specify group
> > inheritances in /etc/groups. Is it possible?
>
> That's not possible in the Unix model of groups, I'm afraid.
>
> > Will I just have to manually add the certain users to www-data and
> > management? Or is there another way.
>
> I think I'd be inclined to hack adduser to automatically add users to
> the content group when you add them to management. Would that work for
> you?
>
> Cheers,
>
> --
> Colin Watson [cjwatson@flatline.org.uk]
Where can I find detailed information about groups, i.e., how to
create them, their usage, etc. The document pointed at by Collin
Watson is great, but too short. Any pointers?
Thanks
Reply to: