Re: Permissions Question
Malcolm Kay wrote: I am confused (or someone is). On all the FreeBSD systems I have immediate access to the file /etc/mail/aliases has the default permissions -rw-r--r--, in other words is readable by anyone. On the other hand /etc/mail/aliases.db is sometimes -rw-r- and sometimes -rw-r--r-- but since it is only an encoded version of aliases and additional restrictions would seem useless. I can imagine some might object to reason setting either of these o+r, but this does seem to be the norm. Perhaps someone else has other views. Or perhaps this is some variation when using profix, qmail etc. in place of sendmail. Malcolm Postfix is the MTA, but the file itself is NFS shared between all the mailservers, and furthermore is used as part of a script that expects things to be just so. I inherited this setup, and don't dare start changing the permissions on key files until I understand what every part of the equation expects to see-- an example would be the user mailboxes, wherein the permissions were set incorrectly causing Sendmail to choke (dontblamesendmail has more on this for the curious). -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / [EMAIL PROTECTED] Today's Excuse: user to computer ratio too high. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Permissions Question Re: Permissions advice needed
The following suggestion should work for both problems and avoid the difficulties I saw with the other solutions. Write an executable (Korn shell) script owned by the owner of the files to be examined (thus he should have all the access he needs) which checks the user-id of its caller [effective and/or original] (to make sure unauthorized users don't get access) and the current date against an end-date (to shut off access at the desired date automatically), probably use the julian date to make checking easier. While I have your attention, does anybody know of jobs for any or all of the following: C/C++, Korn shell scripts, and SQL (Sybase) programmers. I live in the NYC suburbs area (Rockland Cty) and I'm willing to telecommute and maybe even relocate. My resume can be sent by email upon request. On 1/8/2007, Andy Greenwood [EMAIL PROTECTED] wrote On 1/8/07, Kirk Strauser [EMAIL PROTECTED] wrote: On Monday 08 January 2007 12:07 pm, Jay Chandler wrote: I've got a user who needs to be able to view (read only) the aliases file. We'll grant him root access a few weeks after the eventual heat-death of the universe, so how would you all go about doing this? You could configure sudo to give him access to run that one command as root. One has to be very careful about giving out such access! root has much power. On 8 Jan 2007 13:24:58, Kirk Strauser [EMAIL PROTECTED] wrote On Monday 08 January 2007 12:57 pm, Andy Greenwood wrote: I've never used them, but wasn't ACL written just for this scenario? Perhaps, but that seems like a lot more effort to accomplish a relatively easy job. Would work, but it doesn't take into account the time limitation ( We'll grant him root access a few weeks). On 8 Jan 2007 15:07:01, Robert Huff [EMAIL PROTECTED] wrote Jay Chandler writes: (snip) Hand him some sheets of printout? Waste of paper (and trees). Also, one can't use UNIX tools on the data (e.g., grep , editors) to put some of the data in other docs. Sadly, the data change too often for this to be effective. Copy the file evey N minutes, then change ownership and permissions? Again, too much work for the owner. On 08 Jan 2007 13:19:32 Jay Chandler [EMAIL PROTECTED] wrote Robert Huff wrote: Jay Chandler writes: (snip) Copy the file evey N minutes, then change ownership and permissions? (snip) Probably the simplest way to do it-- just wanted to make sure I wasn't overlooking something silly. Thanks! Too much work for the one copying unless he has a script do it maybe as a cron job. On 9 Jan 2007 08:43:11, Brett Davidson [EMAIL PROTECTED] wrote (on Subject: Permissions advice needed.) I have a curious problem. I need an executable file to be owned by a user's uid and gid so they can run it. A user can run a script/binary file whose uid and gid differ from his (Just give other 'rx' permission.) If you want to give such access only to one user, put him in an ACL. Give him 'rx' permission; he won't be able to modify the file. Anyway, why must the executable file be owned by the user running it? HOWEVER, I don't want them to be able to modify or delete the file and/or it's permissions. Another program will do that. This, under standard Unix permissions, is a tad difficult. :-) difficult??? I don't see that. ACL's don't help here as the owner of a file has the ability to change permissions. I could set the immutable bit (Linux term for the schg flag) but the modifying program does not recognise this flag and will thus fail to modify the file. (I have no control over the modifying program). Any ideas? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Permissions Question Re: Permissions advice needed
On Tuesday 09 January 2007 1:01 pm, [EMAIL PROTECTED] wrote: On 1/8/07, Kirk Strauser [EMAIL PROTECTED] wrote: You could configure sudo to give him access to run that one command as root. One has to be very careful about giving out such access! root has much power. Hence sudo, where you're giving them exactly one permission: the ability to execute one specific read-only command. -- Kirk Strauser pgpiZgdAhrYaY.pgp Description: PGP signature
Permissions Question
Sorry for the dumb question this morning-- caffeine hasn't yet worked its wondrous magic upon my person. I've got a user who needs to be able to view (read only) the aliases file. We'll grant him root access a few weeks after the eventual heat-death of the universe, so how would you all go about doing this? I've considered allowing him to run a local copy of the praliases command, but that chokes on the /etc/mail/aliases permissions... To complicate things, the file /etc/mail/aliases is actually an NFS mounted file shared between all our mx boxes, and he only needs to access it from a designated machine. Thoughts? My apologies if this is unclear... -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / [EMAIL PROTECTED] Today's Excuse: I'm sorry a pentium won't do, you need an SGI to connect with us. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Permissions Question
Jay Chandler wrote: I've got a user who needs to be able to view (read only) the aliases file. We'll grant him root access a few weeks after the eventual heat-death of the universe, so how would you all go about doing this? Hand him some sheets of printout? Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: Permissions Question
On Monday 08 January 2007 12:07 pm, Jay Chandler wrote: I've got a user who needs to be able to view (read only) the aliases file. We'll grant him root access a few weeks after the eventual heat-death of the universe, so how would you all go about doing this? You could configure sudo to give him access to run that one command as root. -- Kirk Strauser pgpX62GnRqncn.pgp Description: PGP signature
Re: Permissions Question
I've never used them, but wasn't ACL written just for this scenario? On 1/8/07, Kirk Strauser [EMAIL PROTECTED] wrote: On Monday 08 January 2007 12:07 pm, Jay Chandler wrote: I've got a user who needs to be able to view (read only) the aliases file. We'll grant him root access a few weeks after the eventual heat-death of the universe, so how would you all go about doing this? You could configure sudo to give him access to run that one command as root. -- Kirk Strauser -- I'm nerdy in the extreme and whiter than sour cream ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Permissions Question
On Monday 08 January 2007 12:57 pm, Andy Greenwood wrote: I've never used them, but wasn't ACL written just for this scenario? Perhaps, but that seems like a lot more effort to accomplish a relatively easy job. -- Kirk Strauser pgpryAcPuyqUa.pgp Description: PGP signature
Re: Permissions Question
Matthew Seaman wrote: Jay Chandler wrote: I've got a user who needs to be able to view (read only) the aliases file. We'll grant him root access a few weeks after the eventual heat-death of the universe, so how would you all go about doing this? Hand him some sheets of printout? Sadly, the data change too often for this to be effective. -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / [EMAIL PROTECTED] Today's Excuse: I'm sorry a pentium won't do, you need an SGI to connect with us. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Permissions Question
Jay Chandler writes: I've got a user who needs to be able to view (read only) the aliases file. We'll grant him root access a few weeks after the eventual heat-death of the universe, so how would you all go about doing this? Hand him some sheets of printout? Sadly, the data change too often for this to be effective. Copy the file evey N minutes, then change ownership and permissions? Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Permissions Question
Robert Huff wrote: Jay Chandler writes: I've got a user who needs to be able to view (read only) the aliases file. We'll grant him root access a few weeks after the eventual heat-death of the universe, so how would you all go about doing this? Hand him some sheets of printout? Sadly, the data change too often for this to be effective. Copy the file evey N minutes, then change ownership and permissions? Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Probably the simplest way to do it-- just wanted to make sure I wasn't overlooking something silly. Thanks! -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / [EMAIL PROTECTED] Today's Excuse: Our POP server was kidnapped by a weasel. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Permissions Question
On Tue, 9 Jan 2007 04:37 am, Jay Chandler wrote: Sorry for the dumb question this morning-- caffeine hasn't yet worked its wondrous magic upon my person. I've got a user who needs to be able to view (read only) the aliases file. We'll grant him root access a few weeks after the eventual heat-death of the universe, so how would you all go about doing this? I've considered allowing him to run a local copy of the praliases command, but that chokes on the /etc/mail/aliases permissions... I am confused (or someone is). On all the FreeBSD systems I have immediate access to the file /etc/mail/aliases has the default permissions -rw-r--r--, in other words is readable by anyone. On the other hand /etc/mail/aliases.db is sometimes -rw-r- and sometimes -rw-r--r-- but since it is only an encoded version of aliases and additional restrictions would seem useless. I can imagine some might object to reason setting either of these o+r, but this does seem to be the norm. Perhaps someone else has other views. Or perhaps this is some variation when using profix, qmail etc. in place of sendmail. Malcolm To complicate things, the file etc/mail/aliases is actually an NFS mounted file shared between all our mx boxes, and he only needs to access it from a designated machine. Thoughts? My apologies if this is unclear... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: permissions question
Duane Winner [EMAIL PROTECTED] writes: I don't know if I am having a brainfart, something is different, or if I never had it right to begin with: I need to have a shared directory for apache web content: /usr/local/htmlstuff And a group, htmlguys, and several users will be members of that group. I would like to have the root directory set up like this: drwxrwxr-x 2 me htmlguys 512 Dec 27 15:06 htmlstuff Where htmlguys is the owner. Any member of htmlguys must be able to read, write and create any file or folder in htmlstuff, and the group owner of any file or folder in there must still be set to htmlguys, so that one group member can edit another group member's file. They should be able to delete files and folders that they did not create as well. When I ran apache on a Redhat box, I thought I just ran: # chmod 2770 on htmlstuff and that did the trick for me. Any time a member of htmlguys creates a new file in there it will be automatically be owned by the user who created it and the group htmlguys. But that doesn't seem to work on FreeBSD. I always referred to that '2' before '770' as the 'sticky bit' for the group, but I was reading up on setuid, setguid and sticky bits this morning, and obviously, I had it all wrong. But I know that it did work on Redhat (I still have that server in production, and tested it, so I know that works). So I'm quite confused now, and can't find any documents that describe how to do what I need. Can anybody help me out with this? According to man chmod, the sticky bit is 1000(oct), not 2000. Try setting it symbolically instead of numerically: # chmod +t htmlstuff -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: web server permissions question
Jay O'Brien wrote: I found how to get around this problem, and it isn't permissions at all. On the other web server I use, I use relative and shortened addressing on links, for example /xyz which, when selected by the user, would then send the user the /xyz/home.html file, in the xyz subdirectory under the directory where the home page lives. Hmmm... Actually, that's how it's supposed to work: the automatic addition of trailing slashes is not implied. Remember that even though URLs look a bit like directory paths, they are actually very different beasts indeed. As a webmaster you can, optionally, configure your site to be helpful by adding slashes to requests, if you want, but you should never rely on that behaviour. If you're writing HTML then you should always take care to state the URLs correctly. The reasons why /foo is a different URL to /foo/ are all to do with how aliasing works in HTTP -- ie. exactly how the URL is mapped onto the filesystem (or to some sort of virtual space like a Java object hierarchy) in order to retrieve the requested data. It isn't always simple -- in fact, this is one of those occasions where you might hear the dread term arbitrarily complex. Now, with this version, I find that I must add a trailing /, using /xyz/ instead of /xyz, and with that change everything works as expected. I can now access home.html files in subtending directories with such shortened relative links from my LAN and from the internet. Take a look at this article which explains (amongst a lot of other interesting stuff) how to get your Apache server to do internal redirects for these trailing slash cases -- from the user PoV it will just work: http://httpd.apache.org/docs-2.0/misc/rewriteguide.html Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 8 Dane Court Manor School Rd PGP: http://www.infracaninophile.co.uk/pgpkey Tilmanstone Tel: +44 1304 617253 Kent, CT14 0JL UK signature.asc Description: OpenPGP digital signature
permissions question
Hello, I don't know if I am having a brainfart, something is different, or if I never had it right to begin with: I need to have a shared directory for apache web content: /usr/local/htmlstuff And a group, htmlguys, and several users will be members of that group. I would like to have the root directory set up like this: drwxrwxr-x 2 me htmlguys 512 Dec 27 15:06 htmlstuff Where htmlguys is the owner. Any member of htmlguys must be able to read, write and create any file or folder in htmlstuff, and the group owner of any file or folder in there must still be set to htmlguys, so that one group member can edit another group member's file. They should be able to delete files and folders that they did not create as well. When I ran apache on a Redhat box, I thought I just ran: # chmod 2770 on htmlstuff and that did the trick for me. Any time a member of htmlguys creates a new file in there it will be automatically be owned by the user who created it and the group htmlguys. But that doesn't seem to work on FreeBSD. I always referred to that '2' before '770' as the 'sticky bit' for the group, but I was reading up on setuid, setguid and sticky bits this morning, and obviously, I had it all wrong. But I know that it did work on Redhat (I still have that server in production, and tested it, so I know that works). So I'm quite confused now, and can't find any documents that describe how to do what I need. Can anybody help me out with this? Thanks, DW ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
web server permissions question
I think this is a permissions issue. I just installed Apache13, and it works fine on my LAN using a fixed local IP. I opened port 80 in my Linksys router, and from the internet I can now get to my home page over the internet, using my fixed IP. From my local LAN I can use links on my home page to display html files in directories under the directory where my home page lives. However, from over the internet I can only get to my home page. Except, I can go to IP/manual/ and apache shows me the apache manual pages by virtue of an alias in httpd.conf. So, I know it is possible to access other web pages via the internet connection; I just don't know how to allow access to my subdirectories. Jay O'Brien Rio Linda, California USA ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: web server permissions question
Jay O'Brien [EMAIL PROTECTED] wrote: I think this is a permissions issue. I just installed Apache13, and it works fine on my LAN using a fixed local IP. I opened port 80 in my Linksys router, and from the internet I can now get to my home page over the internet, using my fixed IP. From my local LAN I can use links on my home page to display html files in directories under the directory where my home page lives. However, from over the internet I can only get to my home page. Except, I can go to IP/manual/ and apache shows me the apache manual pages by virtue of an alias in httpd.conf. So, I know it is possible to access other web pages via the internet connection; I just don't know how to allow access to my subdirectories. Sounds like your links are pointing to the private IP address, which isn't accessable from the Internet at large. If this is the case, fix your links. Otherwise, please provide some more information about the symptoms. I doubt there is any sort of permission problem. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: web server permissions question
Jay O'Brien wrote: I think this is a permissions issue. I just installed Apache13, and it works fine on my LAN using a fixed local IP. I opened port 80 in my Linksys router, and from the internet I can now get to my home page over the internet, using my fixed IP. From my local LAN I can use links on my home page to display html files in directories under the directory where my home page lives. However, from over the internet I can only get to my home page. Except, I can go to IP/manual/ and apache shows me the apache manual pages by virtue of an alias in httpd.conf. So, I know it is possible to access other web pages via the internet connection; I just don't know how to allow access to my subdirectories. Jay O'Brien Rio Linda, California USA More data on this issue I found how to get around this problem, and it isn't permissions at all. On the other web server I use, I use relative and shortened addressing on links, for example /xyz which, when selected by the user, would then send the user the /xyz/home.html file, in the xyz subdirectory under the directory where the home page lives. Now, with this version, I find that I must add a trailing /, using /xyz/ instead of /xyz, and with that change everything works as expected. I can now access home.html files in subtending directories with such shortened relative links from my LAN and from the internet. This doesn't explain why the link without the trailing / works fine on my local LAN but not when accessed over the internet. I would prefer to have it work without the trailing / because I want to copy many existing pages with such relative addresses from my other server. I'm not sure where to look in them, but... now to the Apache manuals! Jay ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: web server permissions question
Bill Moran wrote: Sounds like your links are pointing to the private IP address, which isn't accessable from the Internet at large. If this is the case, fix your links. Otherwise, please provide some more information about the symptoms. I doubt there is any sort of permission problem. Bill, The problem links are shortened relative links. See my additional post with more symptoms that I posted before I realized you had responded. As you suggest, changing the links to add a trailing / fixed the problem, and if I didn't want to use existing web pages with shortened relative links without the trailing / character, it wouldn't be a problem. I would like to understand what is causing this to work the way it is. Jay ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Another FreeBSD/sendmail permissions question
Not sure where this goes; I'm also posting it to the sendmail Usenet group. I've been having what is apparently a fairly common problem with my sendmail configuration; every time a message is delivered I get a warning of the type Aug 5 00:25:53 babelfish sendmail[39666]: h757PrRD039666: forward /data/mail/.forward+: Group writable directory. After doing some research, I've been able to turn off the warning messages using the DontBlameSendmail option in my .cf file. However, I'd really like to understand why the warning is being generated in the first place. /data/mail is the user directory to which mail is delivered by my IMAP server after it is moved from /var/mail/imap. a) There is no .forward file in /data/mail b) The permissions on the /data/mail directory are: drwx-- 4 imap wheel 512 Aug 5 10:00 . c) The permissions on the *parent* (/data) directory are: drwxrwxr-x 18 root staff 512 Aug 2 13:52 .. d) Permissions on /var/mail/USERNAME are: -rw--- 1 imap imap 0 Aug 5 10:03 imap e) Permissions on /var/mail are: drwxrwxr-x 2 root mail 512 Aug 5 10:02 . f) And on /var are: drwxr-xr-x 23 root wheel 512 May 10 23:23 . Now, what's confusing to me is that if I remove the group writable attribute of /data, the messages go away. WTF? Why does sendmail care about the permissions of the *parent* directory? Is this because someone in the parent could alter or blow away the /data/mail directory? I'd think that, if anything, the problem would be the permissions on the /var/mail directory; but not only is that not where the warning references; tightening permissions in that area doesn't affect the warnings. KeS ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
