[ale] Permissions Q

Chris Coleman chriscoleman at mail.clayton.edu
Thu Jun 13 16:15:43 EDT 2002


A no-login account does not have a valid shell. Instead of using /bin/bash, it's shell (as specified in the last field of /etc/passwd) will be something like /bin/false.

This prevents the user from logging into (using telnet, ssh, etc.) the machine.

Chris Coleman

-----Original Message-----
From: Mike Millson [mailto:mgm at atsga.com]
To: ale at ale.org
Sent: Thursday, June 13, 2002 2:58 PM
To: ALE
Subject: RE: [ale] Permissions Q


What is meant by a 'no login' account? Is this an account created with the
useradd -r option where the account doesn't have a home directory? Just an
account that people su to but never log in as?

-----Original Message-----
From: John Mills [mailto:jmmills at telocity.com]
To: ale at ale.org
Sent: Thursday, June 13, 2002 1:25 PM
To: ALE
Cc: Michael Hirsch; Mike Millson
Subject: Re: [ale] Permissions Q


Michael -

On 13 Jun 2002, Michael Hirsch wrote:

Thanks for filling in my missing link. Once again, an ALEr comes up with
the key that a specialized mailing list couldn't find.

> On Thu, 2002-06-13 at 10:47, John Mills wrote:

> >  I created a user 'cvsmgr' who belongs to 'cvsusers' and who owns
> > $CVSROOT, its children, and its contents.
> >  I put all developers in $CVSROOT/CVSROOT/passwd, with their choice of
> > trivial or null passwords, and all with the CVS user-identity of
'cvsmgr';
> > and one read-only user, 'buildusr', with null password and no other
> > identity.

> >  I created a group 'cvsusers' and added all developers, 'cvsmgr', and
> > 'buildusr' to that group.

> There is two more steps.  execute 'chgrp -R cvsusers $CVROOT' so that
> all files and dirs are owned by the cvsusers group.  Also, execute
> 'chmod g+s $CVSROOT'.  If $CVSROOT already has subidrectories, run
> 'chmod g+s' on all those subdirs.

Since I have only one group of users, I'll just go above the repository
root and do:

# chmod g+s `find <repository_root> -type d -print`

and hit all the subs at one go.

 - John Mills

On Thu, 2002-06-13 at 10:47, John Mills wrote:
> Hi, Mike -
>
> On Wed, 12 Jun 2002, Mike Millson wrote:
>
> > Ex. 1
> > ========================================
> > I have a CVS repository that is currently owned by root and its group is
> > root. What is the best way to allow users access? Should I leave the
Owner
> > and Group as root and allow Others read and write access? Should I
create a
> > new group that is specifically for CVS, give it read and write
privileges
> > and add each user to it?
>
> I assume you are working through :pserver: or a secure equivalent. I am
> just setting up a CVS repository for a development team working on many
> files (~1500) of a new product. Here's what I did:
>
>  I created a user 'cvsmgr' who belongs to 'cvsusers' and who owns
> $CVSROOT, its children, and its contents.
>  I put all developers in $CVSROOT/CVSROOT/passwd, with their choice of
> trivial or null passwords, and all with the CVS user-identity of 'cvsmgr';
> and one read-only user, 'buildusr', with null password and no other
> identity.
>
>  I created a group 'cvsusers' and added all developers, 'cvsmgr', and
> 'buildusr' to that group.

There is two more steps.  execute 'chgrp -R cvsusers $CVROOT' so that
all files and dirs are owned by the cvsusers group.  Also, execute
'chmod g+s $CVSROOT'.  If $CVSROOT already has subidrectories, run
'chmod g+s' on all those subdirs.

Now anyone in the group can read and write to those subdirs, thanks to
'chgrp'.  The 'chmod g+s' makes it so that any new files/dirs are also
owned by the cvsusers group.

There was a recent article in the IBM developer area about just this
trick.

--Michael

>
> NOTE:
> System accounts must _exist_ for all these CVS users, but they can be
> 'nologin' accounts.
>
> So far the only wrinkle I've seen is this: when a user creates a new
> _directory_ in the CVS repository, it gets the permissions: 'drwxrwxr-x'
> and cannot be used (even for checkout) by any other user until the
> permissions have been changed to 'drwxrwxrwx'. I would like these to be
> the default permission settings for new directories in CVS, but haven't
> been able to manage it. Naturally for many organizations the current
> defaults are correct.
>
> New files' permissions default to '-r--r--r--' which is _correct_ (except
> for executables, which need '-r-xr-xr-x'). 'Apparent' ownership of files
> and directories in $CVSROOT is 'cvsmgr', which is correct.
>
> HTH.
>
>  - John Mills


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.






More information about the Ale mailing list