On 21 May 2010 08:33, Graham Dumpleton <[email protected]> wrote:
> On 21 May 2010 01:52, Damjan <[email protected]> wrote:
>>> I need this to use ClearCase (cleartool binary). ACL in ClearCase
>>> based on Unix system groups but it get only first 16 groups. So If
>>> user belongs to 50 groups You must before using cleartool eject 34
>>> groups and leave only 16. And I need to choose "few" groups in WSGI
>>> which will be inherit by WSGI child process. Then my application may
>>> read ClearCase repositories.
>>
>> use sudo
>
> Care to explain how that can help?
>
> First off I don't see how sudo allows you override the group vector it
> uses with a restricted set of users that you can define.
>
> It does have a -P option for preserving the vector group of the person
> executing sudo, but if you cant control that persons group vector
> isn't going to help.
>
> Secondly, use of sudo, even if it could do it, would still require
> separate Apache instances and be just like the 'flash' program they
> use now.
>
> Finally, what is really needed is the C API programmatic way of
> modifying the group vector, just as the flash program somehow does.
> Only then could mod_wsgi be enhanced, if it made any sense, to allow
> different daemon process groups to override the group vector.
Okay, but more searching. Possibly need to use:
NAME
setgroups -- set group access list
SYNOPSIS
#include <sys/param.h>
#include <unistd.h>
int
setgroups(int ngroups, const gid_t *gidset);
DESCRIPTION
Setgroups() sets the group access list of the current user process
according to the array gidset. The parameter ngroups indicates the num-
ber of entries in the array and must be no more than {NGROUPS_MAX}.
Only the super-user may set new groups.
RETURN VALUES
A 0 value is returned on success, -1 on error, with an error code stored
in errno.
Thus, feasibly one could allow 'groups' parameter of WSGIDaemonProcess
to take a comma separated list, also allowing 'a,' to indicate single
group, and use this function to override the group vector.
Now, is there any reasonable use of this outside of this persons one
case to justify making such an enhancement.
It may be useful where you run applications as a single special user
but for multiple applications want to give them different group access
to alternate accounts for read/writing data, without needing to create
a special user for each just to have the different group vector.
Graham
--
You received this message because you are subscribed to the Google Groups
"modwsgi" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/modwsgi?hl=en.
