Re: [netatalk-admins] user and groups names

Subject: Re: [netatalk-admins] user and groups names
From: Jeff Wiegley (jeff@w3-design.com)
Date: Mon Dec 08 1997 - 16:50:07 EST

• Next message: Alan Johnson: "[netatalk-admins] Looking for the STREAMS module for net-atalk"
• Previous message: a sun: "[netatalk-admins] following on that..."
• In reply to: chuck yerkes: "Re: [netatalk-admins] user and groups names"
• Next in thread: ISOBE, Michiro: "Re: [netatalk-admins] user and groups names"
• Reply: Jeff Wiegley: "Re: [netatalk-admins] user and groups names"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

chuck yerkes wrote:
>
> It is claimed, but unverified, that Philip S. Wachtel wrote:
> > Does anyone know how to configure atalk so that users can write and read
> > files in their home directories as their own user names and read and write
> > to shared directories as nobody?
>
> I think you're asking the wrong question.
>
> 1st) nobody really shouldn't be allowed to write anywhere
> (maybe /tmp). This is the user used for things that
> you want NO priviledge for - like web servers, etc.
> Having files around that "nobody" can overwrite is
> just a bad plan. Think of another user, like "mac".
>
> 2nd) You likely really want to setup group permissions. I wish
> people would mention their OS, but I'll try:
> -Set up the writers in a specific group (not necessarily
> their primary group).
> -Set a shared directory up with group write privs (and
> setgid so the gid of the new files in it are that group).
> You MIGHT want to run a cron job that does chmod g+w to
> that directory (or use cfengine from cron to watch it).
>
> chuck

For those that might be new like the original poster this is the
way my company sovled permissions: (assuming Linux OS although
it should apply to any Un*x in general)...

1) Every potential user gets a shell account on the Unix server.

2) for each account the user gets a unique user id and a unique group is
   (both of which I name identically).

3) the for the network shared directories I create more group ids, one
   for every group I want. The shared directory's group id are set
   according to the access I desire. and the mode for the directories
   are set to 2770 this way file and subdirectories are created and
   inherit the group id and write permission of the parent directory.

4) then users are added to the subgroups that they should be in.

5) I modified netatalk so that subdirectories created by netatalk
   inherit the parents permissions (a behavior that is not the
   default in netatalk but should be)

so, basically contrary to the original poster's paradigm but similar to
Chuck's our permissions are based on groups not users.

the reason each user has their own unique group that nobody else belongs
to is to more or less protect people from screwing up their umasks and
allowing all members of group users (the traditional unix user group) to
read/write their directories.

Anyways, it is working wonderfully for us.

- Jeff

• Next message: Alan Johnson: "[netatalk-admins] Looking for the STREAMS module for net-atalk"
• Previous message: a sun: "[netatalk-admins] following on that..."
• In reply to: chuck yerkes: "Re: [netatalk-admins] user and groups names"
• Next in thread: ISOBE, Michiro: "Re: [netatalk-admins] user and groups names"
• Reply: Jeff Wiegley: "Re: [netatalk-admins] user and groups names"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b28 : Sat Dec 18 1999 - 16:28:25 EST