[clue-tech] Groups in groups? -- IMPOSSIBLE (?)
David L. Anselmi
anselmi at anselmi.us
Sat Jan 28 11:09:34 MST 2006
William wrote:
> William wrote:
>
>> I'm still turning up nil on Google (I even tried Ask Jeeves).
>
> I finally found something (heartbreaking):
> http://www.list.gmu.edu/confrnc/nissc/n98unix.pdf
>
> Unfortunately, this says, "Unix notably lacks a facility for including
> one group in another."
Perhaps SELinux or whatever that allows Linux to use ACLs and
capabilities has a way to handle this.
You might maintain your group info in a different file that supports
whatever notation you want for this. Then run a script (via make,
probably) that generates /etc/groups that does what you want. E.g.:
group1:x:3000:user1,user2,user3
group2:x:3100:user5,user1,user6,[group1]
would generate this groups file:
group1:x:3000:user1,user2,user3
group2:x:3100:user5,user1,user6,user2,user3
Perhaps handling unlimited nesting and preventing loops would be tricky
but those problems have been solved before so you should be able to find
an algorithm easily. (I expect this is a one liner in LISP ;-)
Although you might think this is a hack, it has been done frequently in
the past. Sendmail's alias file is maintained in text but converted to
a database by newaliases. Larger sites tend to keep all their config
files in some central (versioned) repository and use a tool to convert
the master file to the correct format and distribute to all machines.
Perhaps there's already a configuration management system that does what
you want.
Dave
_______________________________________________
CLUE-tech mailing list
CLUE-tech at cluedenver.org
http://cluedenver.org/mailman/listinfo/clue-tech
More information about the clue-tech
mailing list