On Tue, Dec 30, 2003 at 11:43:44AM -0500, Stephen Touset wrote:
> I'm trying to set up a website on a Debian server in which anyone in one
> group (www-data) can modify all files under /var/www,
Don't use www-data for this. From
/usr/share/doc/base-passwd/users-and-groups.txt.gz:
Some web servers run as www-data. Web content should not be owned by
this user, or a compromised web server would be able to rewrite a
web site. Data written out by web servers, including log files, will
be owned by www-data.
> but anyone in another specified group (management) can only modify
> /var/www/updates and /var/www/files.
>
> My idea is to create the management group, which will possess read-write
> capabilities on /var/www/files and /var/www/updates. The most intuitive way
> to proceed from here would be to specify that www-data "contains" the
> management group. Thus, anyone of group www-data is also automatically of
> group management, but anyone in group management is not automatically in
> www-data. However, I'm not sure if it's possible to specify group
> inheritances in /etc/groups. Is it possible?
That's not possible in the Unix model of groups, I'm afraid.
> Will I just have to manually add the certain users to www-data and
> management? Or is there another way.
I think I'd be inclined to hack adduser to automatically add users to
the content group when you add them to management. Would that work for
you?
Cheers,
--
Colin Watson [EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
