You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org

UID: Difference between revisions

From Wikitech-static
Jump to navigation Jump to search
imported>Dzahn
 
imported>BryanDavis
(→‎permission/security hierarchy: change apache to www-data)
Line 23: Line 23:
the security hierarchy looks as follows as decribed by TimStarling:
the security hierarchy looks as follows as decribed by TimStarling:


*'''root > wikidev > mwdeploy > apache'''
*'''root > wikidev > mwdeploy > www-data'''
**root can own wikidev but wikidev can't own root
**root can own wikidev but wikidev can't own root
**wikidev can own mwdeploy but mwdeploy can't own wikidev
**wikidev can own mwdeploy but mwdeploy can't own wikidev
**scripts owned by mwdeploy can only be run by apache
**scripts owned by mwdeploy can only be run by www-data
**everything has to su to apache before running maintenance scripts
**everything has to su to www-data before running maintenance scripts




also see: [[RT:1406]]
also see: [[RT:1406]]

Revision as of 20:53, 15 October 2015

reserved UIDs & GIDs

This is most likely not the desired state yet, but just starting out with the current situation on fenari. Should be edited to reflect the desired situation, being equal on all servers.

  • (table columns are sortable)
UID GID user name
33 33 www-data
48 48 apache
107 112 puppet
110 115 nagios
111 116 mwdeploy

permission/security hierarchy

the security hierarchy looks as follows as decribed by TimStarling:

  • root > wikidev > mwdeploy > www-data
    • root can own wikidev but wikidev can't own root
    • wikidev can own mwdeploy but mwdeploy can't own wikidev
    • scripts owned by mwdeploy can only be run by www-data
    • everything has to su to www-data before running maintenance scripts


also see: RT:1406