.ds CP 2005 .TH mkapachepw 1 "TundraWare Inc." .SH NAME mkapachepw \- Apache webserver user and group file management utility for Unix-like systems. .SH SYNOPSIS mkapachepw [-sGUguIicqOohv] .SH DESCRIPTION \fCmkapachepw\fP is a utility program for creating and maintaining Apache webserver user and group access control files. Its primary value is that it allows large numbers of user and group entries to be managed in separate files. These files are then combined into single, production files for use by the Apache webserver. In this manner, different departments of an organization can independently manage their own user and group information in separate files. The webmaster then uses \fCmkapachepw\fP to combine them on the production system. \fCmkapachepw\fP has a number of useful features, including: .IP \(bu 4 Automatically Create Apache Users/Groups From Underlying OS Users/Groups .IP \(bu 4 Combine User & Group Data From Separately Managed Files Into Single Production Apache Access Control Files .IP \(bu 4 Specify Which Particular Users/Groups Are To Be Included Or Excluded .IP \(bu 4 Catch (And Prevent) Redefinition Of User/Groups In Different Files .P With \fCmkapachepw\fP, you can easily write scripts to automate the creation of custom Apache user and group access control files that contain any/all of the OS users/groups plus any other custom users and groups relevant to your Apache installation. For example, you might have separately managed user/group files for Engineering, Sales, and Marketing. These can then be selectively combined with the users/groups already defined by the underlying operating system. .SH INSTALLATION FreeBSD users can simply install the package using the \fCmkapachepw\fP port. All other Unix-like systems require the program to be installed manually: .IP \(bu 4 Get the distribution tarball from http://www.tundraware.com/Software/mkapachepw .IP \(bu 4 Copy the \'mkapachepw.py\' file to a directory somewhere in your path. .IP \(bu 4 Copy the \'mkapachepw.1.gz\' file to the local \'man1\' directory. .SH OPTIONS .TP .B -s suppress inclusion system user and group information By default, \fCmkapachepw\fP includes the users and groups found in the underlying operating system (starting with the specified starting GID and UID - see the \fC-g\fP and \fC-u\fP options below). This command line option prevents any system users or groups from being included in the final output files. .TP .B -G +groupname -groupname +GID -GID ... enumerated list of groups to include/exclude .TP .B -U +username -username +UID -UID ... enumerated list of users to include/exclude By default, \fCmkapachepw\fP reads in .B all the users and groups found in the underlying OS databases and any files you've specifically included (see the \fC-I\fP and \fC-i\fP options below). It then writes these to the output group and user files consistent with the starting GID and UID values specified (see the \fC-g\fP and \fC-u\fP options below). You may wish to selectively include or exclude specific groups and/or users in the output files by means of the \fC-G\fP and \fC-U\fP options respectively. Each of these options takes a quoted list of names and/or IDs as its argument. Each of these \"enumerated\" groups or users must be prefixed with a \fC+\fP symbol to indicate the entry is to be .B included or a \fC-\fP symbol to indicate the entry is to be .B excluded. For example: .ft C \" Courier .nf mkapachepw.py -I mygroups.inc -i myusers.inc -G "-wheel +admins -45" -U "+bob -fifi" .fi .ft \" revert This command reads in all the system groups and users. Then it reads in the group and user entries found in the files, \fCmygroups.inc\fP and \fCmyusers.inc\fP. It then emits Apache group and user files with the group \fCwheel\fP and group with a GID of 45 removed, but the group \fCadmins\fP included. Similarly, user \fCbob\fP is included, but user \fCfifi\fP is not. It is probably not immediately obvious why you would ever explicitly include a group or user. After all, the program reads in every single system group/user and all the groups/users found in any included files. Why bother explicitly naming an entry to include? As explained below, it is possible to specify a starting GID or UID for inclusion from the OS databases. Say the starting UID is 100 (the default), but user \fCbob\fP has a UID of 99. While \fCmkapachepw\fP would initially read this entry in, it would not place it into the output Apache user file because this user's UID is below the starting value. By explicitly providing the argument \fC+bob\fP, this user will be included in the output despite not satisfying the starting UID test. In other words, the \fC-G\fP and \fC-U\fP options are the final arbiters of what actually makes it into the output group and user files, regardless of other conditions that may be in effect. By combining these options with the starting GID and UID options described below, you can achieve a very fine grain of control of just which groups and users actually end up in a production Apache access control system. .TP .B -g number starting GID to include in group output (default: 100) .TP .B -u number starting UID to include in user output (default: 100) When group and user information is read from the OS databases, only entries with GID/UID values equal or greater than these starting values are actually included in the output files. Group and user entries found in any included files (see the \fC-I\fP and \fC-i\fP options below) are each assigned a "fake" GID/UID of 100000 (this can be changed in the \fCmkapachepw\fP program by modifying the \fCBOGUSID\fP value). By default, this guarantees that everything in the included files appears in the output. This makes sense, because you probably wouldn't be including the file if you didn't want its content in the output. However, you may wish to selectively include only certain entries in the included files. You can do this by setting the starting GID or UID so high that .B nothing is initially included in the output, and then use enumeration features described above to explicitly name the entries you actually want in the output: .ft C \" Courier .nf mkapachepw.py -I mygroups.inc -g 100001 -G "+admins +webmasters +4433" .fi .ft \" revert This would include .B all the system users whose UID was 100 or greater in the user output file. It would then produce a group output file whose only entries would be the groups \fCadmins\fP, \fCwebmasters\fP (regardless whether they were found in the OS group database or in the included file \fCmygroups.inc\fP), and the group whose GID was 4433. .TP .B -I .TP .B -i .TP .B -c .TP .B -q .TP .B -O .TP .B -o .TP .B -h print help information .TP .B -v print detailed version information. .SH EXAMPLES .SH EXIT CODES .ft C \" Courier .nf 0 No error, normal completion 1 Invalid command line: - Cannot open include file - Invalid command line option - Extraneous argument(s) after command line options - Invalid argument for starting GID or UID 2 Invalid enumeration argument: - Enumerated entry missing an inclusion/exclusion prefix (+/-) - Attempt to include/exclude a non-existent GID, UID, or name 3 Cannot open output file 4 Included file attempted to redefine existing user or group .fi .ft \" revert .SH OTHER \fCmkapachepw\fP is a pure-Python module and should run anywhere a recent Python implementation is found. However, it is Unix-specific in that it requires the \'pwd\' and \'grp\' modules for accessing the underlying OS user and group databases. Note that access to these system databases requires the program be run by the root user. In order for this program to produce correct access control files, Apache and the underlying OS must agree on the hash algorithm used to encrypt passwords. This should be the default case in most instances. This program has only been tested on FreeBSD, though it should work on other Unix-like variants. The program will not run on Win32 systems. .SH BUGS AND MISFEATURES None known as of this release. .SH COPYRIGHT AND LICENSING \fCmkapachepw\fP is Copyright (c) \*(CP TundraWare Inc. For terms of use, see the mkapachepw-license.txt file in the program distribution. If you install \fCmkapachepw\fP on a FreeBSD system using the 'ports' mechanism, you will also find this file in /usr/local/share/doc/mkapachepw. \fCmkapachepw\fP is free for individual, non-commerical, personal use. Use in any setting where there is any remuneration, direct or indirect, requires payment of a licensing fee. Individual, multiple, and enterprise licensing is available. Contact mkapachepw@tundraware.com for current pricing. .SH AUTHOR .ft C \" Courier .nf Tim Daneliuk mkapachepw@tundraware.com .fi .ft \" revert .SH DOCUMENT REVISION INFORMATION $Id: mkapachepw.1,v 1.103 2005/04/12 09:22:30 toor Exp $