Puppet users - Oct 2006 - Dynamic groups for a user

Hi,

I try to find a way to do this in Puppet:

- i have a web server with Apache installed
- on this web server i got user accounts (and there is a group for
each user with the same name as the user name, in my case a group
called "sebastien.prudhomme". This group is the initial group of the
user)
- i want to set up UserDir in Apache so that my users can have their
own website.
- on my server, users have their website in $HOME/public_html (it
seems to be the defaut configuration on Apache)
- The $HOME of each user is in 770 mode so that only the user has
access or other users in the right initial group have access.

Now my problem: Apache need to have access to $HOME/public_html, so i
need to put the "apache" user in each inital group of my users.

As all my configuration is done with Puppet, including users, is there
a way to collect the names of all the users and to use that to feed
the "groups" parameter of the "apache" user?

Regards.

On Wed, Oct 18, 2006 at 01:54:58PM +0200, Sébastien Prud''homme
wrote:
> - The $HOME of each user is in 770 mode so that only the user has
> access or other users in the right initial group have access.
> 
> Now my problem: Apache need to have access to $HOME/public_html, so i
> need to put the "apache" user in each inital group of my users.
Let''s break your problem into two parts:

a) Apache needs access to $HOME/public_html
b) I need to put the apache user in each initial group of my users

If you want a working webserver for your users, then (a) is definitely true.
However, (b) does not follow from (a) -- in fact, the setup you''ve got
is
quite insecure -- what you''re effectively doing is allowing anything
that
runs as your webserver (such PHP scripts, CGI scripts, and the server
itself) write access to all of your users'' home directories.  Not real
wonderful in the event of any sort of compromise (can we say "site
defacement", or "malware insertion"?).

The *real* solution to your problem is to make your users'' home
directories
0771, make their public_html directories (and everything below that) at
least 0755/0644, and keep apache right the way out of your users''
groups.

The solution to the general problem is probably to have a separate exec
statement with your user creation that runs a command to add the common user
to the new user''s group, predicated on the group not already being
listed in
the output of "/usr/bin/id $common_user".  I use a define to do
something
fairly similar to this (it''s actually to add the new user to a bunch of
auxiliary groups and other related things, but the principle''s the
same).

- Matt