Francois Dumais wrote:
> > SG0 is something like transparent SG, and trust me
> > better leave that SG as it is.
>
> What do you imply by "transparent SG"
Objects in SG0 are transparently merged with the sitegroup you log into.
The objects thus merged are available read-only, no matter who you are,
unless you're root.
This is the way we implement the admin site: the admin site is in SG0,
but you log in as sgadmin+yoursitegroup; this puts you in SG
'yoursitegroup', but the admin site, which is in SG0, is available to
you. SG0 is the only sitegroup that exhibits this behaviour, objects in
other sitegroups will be totally invisible to you.
> and "leave it as it is" ?? Do you
> mean never use it???
No, he means that unless you're deliberately changing or adding the
admin site, it's best not to add/delete/change resources in SG0. Your
'live' work should certainly not be in SG0.
> > You can not manage members and groups within SG0 for example.
>
> I don't get the point: I managed to create several users (at the topmost
> level).
You can create users in SG0, fo sure, but unless you take provisions to
make them root (and do you want them all to be root?), they'll not be
able to log in. Only root can log into SG0.
It's important to see the distinction between the resources that live in
a particular sitegroup, and what the active sitegroup is during the page
view as you visit it. Even though the admin site is in SG0, because you
explicitly log in as 'user+sitegroup', you'll be in 'sitegroup' for the
duration of your visit; you'll have read access to all objects in
'sitegroup', write access to all objects in 'sitegroup' where you're a
member of their owner group (unless you're SG admin, who has write
access to all objects in the SG), and strict read-only access to SG0
objects.
If you log into a site that has a host record that is not in SG0, you'll
be in that hosts sitegroup during your page visit, which is why you
don't have to use '+sitegroup' for non-SG0 hosts. In order for a host
record to have a non-SG0 sitegroup, you must create it while being in
the target sitegroup, which is why you want to log on as
'admin*sitegroup' ("I'm root, but put me in sitegroup instead of SG0")
before creating the host record.
> They may have root privileges, but I don't understand the fact that I can't
> log in SG0 with their username. Is it supposed to be that way?
Yes. Being in SG0 does not automatically make you root. The user also
needs a member record that puts him in group 0.
> OK, we must be careful with users created in SG0, this I can understand
> given the fact that they are powerful. But I can't even log as any of them,
> that's my point. It's implicit from what I have read up until now that we
> can log in SG0 with username created within SG0, no??????
If you're root, yes. Let's say you have a user with id 54 in SG0, then
there also needs to be a record in the member table with
(uid=54,gid=0,sitegroup=0)
or you will not be considered to be root. And since persons in SG0
_must_ be root to be able to log in _anywhere_, these persons without
such member records won't be able to log in anywhere.
> Just to give you the context, I have created users in SGO (around 4 of them)
> and a couple of hosts (they are functional and work on internet). Are
> saying to me that I should never create anything in SG0?? ...
Probably.
> If this is the
> case what's the use of SG0, apart from the fact it contains several
> "critical applications" such as the admin applications???
That's exactly what it's generally used for. You can grant SG admins
near-total power over their own sitegroup, without giving them the
opportunity to accidently alter the (rather critical) admin sites.
> Also, I don't understand when to use "!", "+", "=", ";", "*".
user*sitegroupname: I'm root, and I want to be in 'sitegroupname' for
the duration of this request.
user;sitegroupname: I'm admin of SG sitegroupname, I want to be in
'sitegroupname' for the duration of this request, and drop the special
privileges I have (make me a non-priveleged user).
user$sitegroupname: I'm root, I want to be in
'sitegroupname' for the duration of this request, and drop the special
privileges I have (make me a non-priveleged user).
user!sitegroupname: I'm root, I want to be in
'sitegroupname' for the duration of this request, and drop the special
privileges I have to the level of the SG admin.
user+sitegroupname: I'm a regular user or SG admin, I want to be in
'sitegroupname' for the duration of this request, and have the default
permissions.
user=otheruser[+*!]sitegroupname: I'm root or the SG admin, after
authentication assume I'm user 'otheruser' in the sitegroup, give me
default permissions for that user.
Using username!sitegroupname instead of username*sitegroupname gets rid
of some visual clutter if you have many sites or content trees, since
with '*' you see everything, with '!' you only see SG0 + the sitegroup
you're in. I don't really use '*', ';', '$' and '=' much besides for
troubleshooting. You'll typically use '!' for root, '+' for others, or
none.
Emile
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
