On 15 June 2010 22:06, Jan Koprowski <[email protected]> wrote: > Work perfectly :) Thanks!
Oh good. Had forgottten I had even done that change. :-) Graham > On May 24, 7:45 am, Jan Koprowski <[email protected]> wrote: >> Great thanks for help - really. I'm very appreciative. I was in >> mountain in Polish PHPCon edition [phpcon.pl] and I'm back right now. >> Flash command is local command probably wrote by local administrators >> - I think cause I can't find this command elsewhere. >> >> But there is one mysterious thing in that. I believe this command have >> sticky bit (chmod +s) to be run as root user. setgroups() manual >> suggest this. From the other hand this tool can't be use by root. Why? >> This tool watch groups You can get. For example: If You belongs to >> groups "a b c" and You try tu use: >> >> $ flash b c d /bin/groups >> d - permission denied >> a b >> $ >> >> So this watch groups you belongs to. Root user can't run this tool. In >> my corporate root account is "unprivileged" to this because the can >> get any groups they want. So I can't use "flash" after sudo. To Use >> "flash" I compile my own Apache under home directory. So whole Apache >> is under local user privileges - there is no processes with owned by >> root. I'm wondering in this situation I can still use WSGI? >> >> One more time grate thank for help! Really! >> >> On May 22, 3:38 pm, Damjan <[email protected]> wrote: >> >> >> >> >> >> > > >> I need this to use ClearCase (cleartool binary). ACL in ClearCase >> > > >> based on Unix system groups but it get only first 16 groups. So If >> > > >> user belongs to 50 groups You must before using cleartool eject 34 >> > > >> groups and leave only 16. And I need to choose "few" groups in WSGI >> > > >> which will be inherit by WSGI child process. Then my application may >> > > >> read ClearCase repositories. >> >> > > > use sudo >> >> > > Care to explain how that can help? >> >> > I understood that he starts a "cleartool binary" which is a separate >> > program... maybe I mis-understood him? >> >> > The idea is, he could have a mod_wsgi user that's allowed via sudo to >> > change to a user with the neccesseary credentials. >> >> > And sudo will do the right thing wrt the group vector. >> > "The real and effective uid and gid are set to match those of the >> > target user as specified in the passwd file and the group vector is >> > initialized based on the group file" >> >> > So I'm thinkging> >> >> > Apache >> > -> mod_wsgi (user_a) -> sudo cleartool (clear_user_a) >> > -> mod_wsgi (user_b) -> sudo cleartool (clear_user_b) >> >> > > First off I don't see how sudo allows you override the group vector it >> > > uses with a restricted set of users that you can define. >> >> > > It does have a -P option for preserving the vector group of the person >> > > executing sudo, but if you cant control that persons group vector >> > > isn't going to help. >> >> > > Secondly, use of sudo, even if it could do it, would still require >> > > separate Apache instances and be just like the 'flash' program they >> > > use now. >> >> > -- >> > You received this message because you are subscribed to the Google Groups >> > "modwsgi" group. >> > To post to this group, send email to [email protected]. >> > To unsubscribe from this group, send email to >> > [email protected]. >> > For more options, visit this group >> > athttp://groups.google.com/group/modwsgi?hl=en. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "modwsgi" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit this group >> athttp://groups.google.com/group/modwsgi?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "modwsgi" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/modwsgi?hl=en. > > -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en.
