Davor Ocelic wrote: > 1) Do hcoop and domtool users need USER.cgi and USER.mailfilter > principals (and everything that goes with them)? >
'hcoop' is the principal for group web sites like www.hcoop.net. However, these web sites are all run on deleuze as a single user, so I don't think 'hcoop' needs a 'cgi' principal, and I haven't set up any mail filters for it, either. 'domtool' should never be involved with either of these, by design. So, my answer is that none of the four principals you ask about should need to exist. > 2) User 'domtool' is dedicated to domtool; what does 'hcoop' user > serve for? > See above answer. 'domtool' has permissions to walk all over all Domtool data, while 'hcoop' is only allowed to touch group web sites. (Principle of least privilege in action) > 5) Directory /afs/hcoop/common/databases/USERNAME wants mode > mysql.service rl > postgres.service rl > > so please add that to database creation procedures. > Will do later today, hopefully. > I have modified exim4/get-token, create-user, destroy-user and > all init scripts and even a few domtool files in adamc's > ~/cvs/ directory to reflect this. (Adamc, run cvs diff in there > to see the 3 or 4 lines I've changed). > Please never edit files in my checked-out CVS repositories again. The whole point of CVS is that you check out your own version, make changes there, and commit. > 7) As said, I've modified some domtool scripts in both /etc/init.d/ > and in adamc's ~/cvs/. But other scripts (mysql, apache..) > I modified only in /etc/init.d/ , so whoever is taking care of > committing them to cvs, please do. > Every admin is taking care of committing his own changes, so the answer in this particular case is "you are." ;-) Check out the 'misc' module from hcoop SourceForge CVS and make your changes. > 8) While trying to run domtool, I noticed it's not giving any error > message if it can't write its log file. Adamc you could add some > message in that case. > How do you recommend doing that in a shell script? If you look at the wrapper script now, you can see that it's a one-liner that just runs the real binary with > and >> used to redirect output to that log. > 10) Adamc please tune permissions on and in /afs/hcoop.net/usr/hcoop/ . > If you want hcoop to own them, chown hcoop. If you want apache, > chown to www-data.service . > Will do as soon as I'm able to get adamc_admin AFS tokens again. (See previous e-mail for diagnostic output related to this problem) _______________________________________________ HCoop-SysAdmin mailing list [email protected] http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
