6

We are getting more and more outside developers (from different clients) and are beginning to need a better strategy than adhoc adding to our server and adding to them ourcompany group (which owns everything in /var/www/ - our workspace)

And optimal solution would be to able to nest groups, so if I could @ourcompany would be all members the group @ourcompany.

ourcompany:xxx:john,joe,bob guestcompany:xxx:guest1,guest2,@ourcompany

But that's not possible. I am toying with the idea of having a template system, where i do some simple sed stuff to get substitute and create a new /etc/group

(The reason I don't want guestcompany:xxx:guest1,guest2,john,joe,bob is because if we add or remove people from our company than someone will have to go through and make sure everything is updated, which probably could fall off the edge)

I guess the next logical step is ACLs but from my past experience is that they're somewhat a hassle to deal with, so I just wanted to see if any of you knew any other solutions that would work.

user9517
  • 115,471
  • 20
  • 215
  • 297

5 Answers5

1

I'm not suggesting that you do it this way, but I've gotten around this problem by using Active Directory to manage my centralized authentication and implemented Likewise Open to authenticate my Linux machines. LWO gives a consistent UID and GID across all machines because they're based on a hash. This makes things like NFS and rsync very easy to deal with. It also solves nested groups nicely.

Are you using any sort of centralized authentication like NIS or LDAP?

Matt Simmons
  • 20,396
  • 10
  • 68
  • 116
  • No, it's a small dev server I maintain for developers on our company. Until now, it's never needed anything beyond basic unix auth and we use mysqlauth apache for the web front authentication –  May 28 '09 at 05:32
  • You don't even need anything like LWO - just install the MSFU stuff, give your users uids/gids etc and use ldap/krb5. No additionally layer or system to deal with. – pfo Sep 05 '11 at 11:20
  • 1
    It's fully possible without it, yeah, but LWO makes things SO much easier. And it automatically hashes the UID/GIDs so they're identical across the infrastructure. – Matt Simmons Sep 07 '11 at 00:02
0

I would recommend using Linux trustees. It is inspired by Novell's trustees from a long time ago, and it's (imho) superior to anything else I've seen.

Without going into too much detail, you have a single configuration file to maintain; Trying to use ACLs and such, your visibility is not so great as you have to query files individually.

With Linux trustees, you can also opt to AND with Unix permissions, or ignore them all together.

The only downside is that it is a kernel module (which itself is not a bad thing), but you will probably need to recompile the kernel with appropriate support (as per the trustees docs). This is again not a problem, but if you have support, for example from Red Hat, then recompiling/modifying the kernel would not be an option.

khosrow
  • 4,163
  • 3
  • 27
  • 33
  • This looks like an interesting solution, but how well is this supported by something like samba or nfs? – Zoredache May 28 '09 at 07:58
  • 1
    This looks like more work (and more error-prone) than just using POSIX ACLs on the filesystem level. – Teddy Oct 16 '09 at 13:27
0

I wouldn't give them access at all to your workspace. I would set them up with access to a git or subversion repository, and then pull their changes onto your system for deployment. You can script a test server to update from your repository on a periodic basis so that the changes can be tested without developer intervention.

  • Unfortunately, as great this would be, it's not feasible because we are doing web development and a lot the work is in the database, and there isn't a great way to do DB change managment with the framework we are using. –  May 29 '09 at 17:14
0

I know ACL's can be a hassle. I avoid them, anytime I don't explicitly require them. But in your situation they seem like the best option.

I would do LWO if... you already have a windows AD, and many potential machines that need permissions in this manner.

J. M. Becker
  • 2,471
  • 1
  • 17
  • 21
0

Maybe it's time to use centralised system, like LDAP? I would sugest FreeIPA: very flexible, nice UI, lot's of features. And it just works.

zen
  • 76
  • 1