[LON-CAPA-admin] 64 bit
Guy Albertelli II
guy at albertelli.com
Tue Oct 26 15:02:16 EDT 2004
Hi Mike,
> >> Which things will break, if suidperl is not suid?
> >
> >Among other things, you would not be able create author accounts.
> >
>
> That was the gotcha for me.
>
> Here's a question, if we're using our own authentication scheme (via
> localauth.pm) and not creating filesystem authorized accounts (just
> relying upon lchtmldir to create the public_html once an author role is
> granted) would we even need to have setuid scripts if we allow www to
> have write perms in a special home directory area?
We could eliminate the need for setuid in this case if www had write
access to /home
As only UNIX style users have an account created and permissions set
in this case.
For all other user auth styles we expect all files to be owned by
www:www
> Would this create
> any problems with users being able to access each other's resources?
Nope.
> Does Lon-Capa police this or does it rely upon filesystem permissions
> (and therefore the reason why lcuseradd adds www to the group named
> after the account)?
We rely on file system permissions for some aspects. And police
others.
We generally recommend all authors be created without UNIX style
authentication except for the rare case when some user wants login
access to the machine.
> There's a whole mess of changes which need to be made to lcuseradd,
> because the syntax and defaults for RH/Fedora are different from SuSE.
Aye.
--
guy at albertelli.com LON-CAPA Developer 0-7-3-2-
More information about the LON-CAPA-admin
mailing list