Hello,
I do not understand what is happening.
Some bin have a sepcial group. We chmod these bin to 750 and we add all users that can acces these bin to this group.
For exemple.
-rwxr-x— 2 root perl 20736 Dec 21 02:17 /usr/bin/perl
In /etc/group we have a group named perl and we add all users that need to access to perl to this group.
It works for all users less iworx.
Everytime we add a new users to this group, the fileman doesn’t work because iworx can’t access perl. And if we look at /etc/group the user iworx is in the perl group.
We have to remove it from the group, restart iworx, then add it and restart iworx to finaly have the user iworx that might acccess the perl bin
One more time it works for all others users. They can use perl in their /cgi-bin/
In fact we have a simple script which looks for all cgi-bin dir in /home and automaticly add the user in perl group
#!/bin/sh
echo ‘’ > /root/perlgroup
USERTOADD=find /home/ -mindepth 4 -maxdepth 4 -type d -name "cgi-bin" | tr '/' ' ' | awk '{print$2}'
for user in $USERTOADD; do
usermod -a -G perl $user
echo “Utlisateur $user ajout? au groupe perl” >> /root/perlgroup
done
usermod -a -G vchkpw,perl iworx
service iworx restart
We’ve tried to readd at the end of the script the user iworx, to the group perl, but as I said some times it works, some times not (I mean iworx can’t access perl bin)
I do not understand why. Why it is so specific for the user iworx, I could understand if it doesn’t work for all others users too, but not, it is only for the iworx user.
Any idea why ?
Pascal
arrff it’s really to strange, or I miss something.
If I remove the user iworx from the vchkpw group, then fileman works, so the iworx user have access to perl (I restart iworx after every changes in /etc/group. Iworx have to be in vchkpw as he uses the vadduser to create mailbox)
If I add (even by manually edit /etc/group) to the group vchkpw then it doesn^t work.
Finally if I remove iworx from all groups, restart iworx, then do :
- usermod -a -Gvchkpw,perl iworx
- chgrp perl /usr/bin/perl
- service iworx restart
then it works ???
I do not understand this
Now if edit my script to have these updqtes in it
#!/bin/sh
echo ‘’ > /root/perlgroup
USERTOADD=find /home/ -mindepth 4 -maxdepth 4 -type d -name "cgi-bin" | tr '/' ' ' | awk '{print$2}'
for user in $USERTOADD; do
usermod -a -G perl $user
echo “Utlisateur $user ajout? au groupe perl” >> /root/perlgroup
done
usermod -a -G vchkpw,perl iworx
chgrp perl /usr/bin/perl
service iworx restart
run my script, it still works
I’m not sure to understand why I have to do this. Also I’m not sure at all it will not works at next cron hour (this script run every 4 hours)
Any idea about all this ?
Thanks
pascal
Every time you make a group change you’ll most likely have to restart iworx. Apache itself is restarted on each useradd as a side-effect of the SiteWorx account add so it sees the new users/groups, whereas the iworx Apache instance doesn’t. So just restart iworx each time you mess with /etc/passwd or /etc/group and you should be fine. There’s no need to delete and re-add the iworx user to the perl group each time.
Chris
Thanks Chris but it is what we did.
This script did a iworx restart
#!/bin/sh
echo ‘’ > /root/perlgroup
USERTOADD=find /home/ -mindepth 4 -maxdepth 4 -type d -name "cgi-bin" | tr '/' ' ' | awk '{print$2}'
for user in $USERTOADD; do
usermod -a -G perl $user
echo “Utlisateur $user ajout? au groupe perl” >> /root/perlgroup
done
usermod -a -G vchkpw,perl iworx
service iworx restart
We did
I do not understant why I have to re-add the iworx user every times we add a new users.
Ok I^ll try this
#!/bin/sh
echo ‘’ > /root/perlgroup
USERTOADD=find /home/ -mindepth 4 -maxdepth 4 -type d -name "cgi-bin" | tr '/' ' ' | awk '{print$2}'
for user in $USERTOADD; do
usermod -a -G perl $user
echo “Utlisateur $user ajout? au groupe perl” >> /root/perlgroup
done
service iworx restart
Add new users that have cgi-bin dir and just restart iworx. After this script iworx users is still in /etc/group. You agree that I do not have to re-add the iworx user to the perl and vchkpw as he is already in.
Basicly this script should work and after have been run, iworx users should still have access to perl and vadduser. You agree with this ?
Pascal
Basicly this script should work and after have been run, iworx users should still have access to perl and vadduser. You agree with this ?
As long as the iworx user is still in the correct groups after running the useradd above then yes.
Chris