OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Michael Schloh
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-doc Date: 14-Jan-2003 11:11:40
Branch: HEAD Handle: 2003011410114000
Modified files:
openpkg-doc/handbook openpkg.xml
Log:
Improve and add text to section 'Security Through Userids and
Groupids'.
Summary:
Revision Changes Path
1.62 +78 -20 openpkg-doc/handbook/openpkg.xml
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-doc/handbook/openpkg.xml
============================================================================
$ cvs diff -u -r1.61 -r1.62 openpkg.xml
--- openpkg-doc/handbook/openpkg.xml 19 Dec 2002 10:52:46 -0000 1.61
+++ openpkg-doc/handbook/openpkg.xml 14 Jan 2003 10:11:40 -0000 1.62
@@ -33,7 +33,7 @@
</author>
</authorgroup>
- <pubdate>December 2002</pubdate>
+ <pubdate>January 2003</pubdate>
<abstract>
<para>
@@ -712,28 +712,86 @@
</sect1>
<sect1>
- <title>Security through Userids and Groupids</title>
+ <title>Security Through Userids and Groupids</title>
<para>
- OpenPKG is designed with good security in mind, and thus provides
- three Userid and Groupid pairs. Whereas one pair might often suffice,
- the three distinct pairs allow for finer granularity of providing
- access to operating system resources. In a few cases, a software
- application will actually require such an abstraction of user and
- group rights. The first new Userid created at bootstrap time will
- have the same name as the OpenPKG instance. The second new Userid will
- resemble the first, only with a '-r' name extension meaning restricted.
- The third new Userid will resemble the first, only with a '-n' name
- extension meaning non-privileged. For example, if an OpenPKG instance
- is bootstrapped to the directory called 'cw', then the three associated
- Userids will be cw, cw-r, and cw-n. The administrator can read the
- Unix password file to see the new entries.
+ OpenPKG installs three userid and groupid pairs during bootstrap.
+ OpenPKG is designed with good security in mind, and thus provides
+ three userid and groupid pairs. Whereas one pair might often suffice,
+ the three distinct pairs allow for finer granularity. In some cases, a
+ software application will actually require a more privileged or less
+ privileged user and group pair in addition to the normal pair. Many
+ daemon packages use the special user and group for improving security,
+ for example.
+ </para>
+ <para>
+ By default, one userid created during bootstrap has the same name as
+ the OpenPKG instance. Another userid simply adds a '-r' extension to
+ the first, and indicates the restricted user. The last userid adds a
+ '-n' extension to the first, and indicates the non-priviledged user.
+ The new OpenPKG groupids are handled in the same way. For example, if
+ an OpenPKG instance is bootstrapped to the directory called 'cw', then
+ the three associated userids will be 'cw', 'cw-r', and 'cw-n'. The
+ three associated groupids will be 'cw', 'cw-r', and 'cw-n'. The
+ administrator can read the unix password file /etc/passwd and unix
+ group file /etc/group to see the new entries.
+ </para>
+ <sect2>
+ <title>Arguments given during bootstrap</title>
+ <para>
+ This behaviour is true by default, but may be customized to suit the
+ needs of the administrator. Additional arguments may be give when
+ running the bootstrapper (see <xref linkend='bstrap-overview'/>)
+ to accommodate special user and group names. Specify the name of the
+ management user with --musr=<name>, the restricted user with
+ --rusr=<name>, and the non-priviledged user with --nusr=<name>.
+ Accordingly, group names can be specified with --mgrp=<name>,
+ --rgrp=<name>, and --ngrp=<name>.
+ </para>
+ <itemizedlist>
+ <listitem>
+ <simpara>
+ --musr=<management user name>
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ --rusr=<restricted user name>
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ --nusr=<non-priviledged user name>
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ --mgrp=<management group name>
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ --rgrp=<restricted group name>
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ --ngrp=<non-priviledged group name>
+ </simpara>
+ </listitem>
+ </itemizedlist>
+ </sect2>
+ <sect2>
+ <title>Using the Userid and Groupid Variables</title>
+<!-- FIXME: Give a small user summary, expand, and move following to developer
section -->
+ <para>
+ These user and group names can be queried from within the OpenPKG
+ specification file. The variables %{l_musr}, %{l_rusr}, and %{l_nusr}
+ expand to the management, restricted, and non-priviledged users. The
+ variables %{l_mgrp}, %{l_rgrp}, and %{l_ngrp} expand to the
+ management, restricted, and non-priviledged groups.
</para>
+ </sect2>
</sect1>
-
-<!-- FIXME: What about groupids, and put where belong in dev Teil the -->
-<!-- l_susr/l_sgrp = root/wheel; l_musr/l_mgrp = cw/cw -->
-<!-- l_rusr/l_rgrp = cw-r/cw-r; l_nusr/l_ngrp = cw-n/cw-n -->
-<!-- replace l_{fs,np}{usr,grp} with l_{s,m,r,n}{usr,grp} ??? -->
<sect1>
<title>RPM Maintained</title>
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
