Great thanks for help - really. I'm very appreciative. I was in mountain in Polish PHPCon edition [phpcon.pl] and I'm back right now. Flash command is local command probably wrote by local administrators - I think cause I can't find this command elsewhere.
But there is one mysterious thing in that. I believe this command have sticky bit (chmod +s) to be run as root user. setgroups() manual suggest this. From the other hand this tool can't be use by root. Why? This tool watch groups You can get. For example: If You belongs to groups "a b c" and You try tu use: $ flash b c d /bin/groups d - permission denied a b $ So this watch groups you belongs to. Root user can't run this tool. In my corporate root account is "unprivileged" to this because the can get any groups they want. So I can't use "flash" after sudo. To Use "flash" I compile my own Apache under home directory. So whole Apache is under local user privileges - there is no processes with owned by root. I'm wondering in this situation I can still use WSGI? One more time grate thank for help! Really! On May 22, 3:38 pm, Damjan <[email protected]> wrote: > > >> I need this to use ClearCase (cleartool binary). ACL in ClearCase > > >> based on Unix system groups but it get only first 16 groups. So If > > >> user belongs to 50 groups You must before using cleartool eject 34 > > >> groups and leave only 16. And I need to choose "few" groups in WSGI > > >> which will be inherit by WSGI child process. Then my application may > > >> read ClearCase repositories. > > > > use sudo > > > Care to explain how that can help? > > I understood that he starts a "cleartool binary" which is a separate > program... maybe I mis-understood him? > > The idea is, he could have a mod_wsgi user that's allowed via sudo to > change to a user with the neccesseary credentials. > > And sudo will do the right thing wrt the group vector. > "The real and effective uid and gid are set to match those of the > target user as specified in the passwd file and the group vector is > initialized based on the group file" > > So I'm thinkging> > > Apache > -> mod_wsgi (user_a) -> sudo cleartool (clear_user_a) > -> mod_wsgi (user_b) -> sudo cleartool (clear_user_b) > > > First off I don't see how sudo allows you override the group vector it > > uses with a restricted set of users that you can define. > > > It does have a -P option for preserving the vector group of the person > > executing sudo, but if you cant control that persons group vector > > isn't going to help. > > > Secondly, use of sudo, even if it could do it, would still require > > separate Apache instances and be just like the 'flash' program they > > use now. > > -- > You received this message because you are subscribed to the Google Groups > "modwsgi" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group > athttp://groups.google.com/group/modwsgi?hl=en. -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en.
