Fork: 0
tundra / mkapachepw
Browse code
Further description of options.
master
1 parent a5ffb9e commit 201fe28172697244ba6f679bddef7a5eabc10246
@toor toor authored on 12 Apr 2005
Patch
Unified Split
Showing 1 changed file
View
236
mkapachepw.1
.SH SYNOPSIS
mkapachepw [-sGUguIicqOohv]
 
.SH DESCRIPTION
\'mkapachepw\' is a utility program for creating and maintaining
\fCmkapachepw\fP is a utility program for creating and maintaining
Apache webserver user and group access control files. Its primary
value is that it allows large numbers of user and group entries to be
managed in separate files. These files are then combined into single,
production files for use by the Apache webserver. In this manner,
different departments of an organization can independently manage
their own user and group information in separate files. The webmaster
then uses \'mkapachepw\' to combine them on the production system.
 
\'mkapachepw\' has a number of useful features, including:
then uses \fCmkapachepw\fP to combine them on the production system.
 
\fCmkapachepw\fP has a number of useful features, including:
 
.IP \(bu 4
Automatically Create Apache Users/Groups From Underlying OS Users/Groups
 
.IP \(bu 4
Catch (And Prevent) Redefinition Of User/Groups In Different Files
 
.P
With \'mkapachepw\', you can easily write scripts to automate the
With \fCmkapachepw\fP, you can easily write scripts to automate the
creation of custom Apache user and group access control files that
contain any/all of the OS users/groups plus any other custom users and
groups relevant to your Apache installation. For example, you might
have separately managed user/group files for Engineering, Sales, and
 
 
.SH INSTALLATION
 
FreeBSD users can simply install the package using the \'mkapachepw\' port.
FreeBSD users can simply install the package using the \fCmkapachepw\fP port.
 
All other Unix-like systems require the program to be installed manually:
 
.IP \(bu 4
.TP
.B -s
suppress inclusion system user and group information
 
By default, \'mkapachepw\' includes the users and groups found
By default, \fCmkapachepw\fP includes the users and groups found
in the underlying operating system (starting with the specified
starting GID and UID - see the -g and -u options below). This
starting GID and UID - see the \fC-g\fP and \fC-u\fP options below). This
command line option prevents any system users or groups from
being included in the final output files.
 
.TP
.B -G
 
.TP
.B -U
 
.TP
.B -g
 
.TP
.B -u
.B -G +groupname -groupname +GID -GID ...
enumerated list of groups to include/exclude
.TP
.B -U +username -username +UID -UID ...
enumerated list of users to include/exclude
 
By default, \fCmkapachepw\fP reads in
.B all
the users and groups found in the underlying OS databases and any
files you've specifically included (see the \fC-I\fP and \fC-i\fP
options below). It then writes these to the output group and user
files consistent with the starting GID and UID values specified (see
the \fC-g\fP and \fC-u\fP options below).
 
You may wish to selectively include or exclude specific groups and/or
users in the output files by means of the \fC-G\fP and \fC-U\fP
options respectively. Each of these options takes a quoted list of
names and/or IDs as its argument. Each of these \"enumerated\"
groups or users must be prefixed with a \fC+\fP symbol to indicate
the entry is to be
.B included
or a \fC-\fP symbol to indicate the entry is to be
.B excluded.
 
For example:
.ft C \" Courier
.nf
mkapachepw.py -I mygroups.inc -i myusers.inc -G "-wheel +admins -45" -U "+bob -fifi"
.fi
.ft \" revert
 
This command reads in all the system groups and users. Then it reads
in the group and user entries found in the files, \fCmygroups.inc\fP
and \fCmyusers.inc\fP. It then emits Apache group and user files with
the group \fCwheel\fP and group with a GID of 45 removed, but
the group \fCadmins\fP included. Similarly, user \fCbob\fP is
included, but user \fCfifi\fP is not.
 
It is probably not immediately obvious why you would ever explicitly
include a group or user. After all, the program reads in every single
system group/user and all the groups/users found in any included
files. Why bother explicitly naming an entry to include? As
explained below, it is possible to specify a starting GID or UID for
inclusion from the OS databases. Say the starting UID is 100 (the
default), but user \fCbob\fP has a UID of 99. While \fCmkapachepw\fP
would initially read this entry in, it would not place it into the
output Apache user file because this user's UID is below the starting
value. By explicitly providing the argument \fC+bob\fP, this user
will be included in the output despite not satisfying the starting UID
test. In other words, the \fC-G\fP and \fC-U\fP options are the final
arbiters of what actually makes it into the output group and user
files, regardless of other conditions that may be in effect.
 
 
By combining these options with the starting GID and UID options
described below, you can achieve a very fine grain of control of just
which groups and users actually end up in a production Apache access
control system.
 
 
.TP
.B -g number
starting GID to include in group output (default: 100)
 
.TP
.B -u number
starting UID to include in user output (default: 100)
 
When group and user information is read from the OS databases, only
entries with GID/UID values equal or greater than these starting
values are actually included in the output files.
 
Group and user entries found in any included files (see the \fC-I\fP
and \fC-i\fP options below) are each assigned a "fake" GID/UID of
100000 (this can be changed in the \fCmkapachepw\fP program by
modifying the \fCBOGUSID\fP value). By default, this guarantees
that everything in the included files appears in the output.
This makes sense, because you probably wouldn't be including
the file if you didn't want its content in the output.
However, you may wish to selectively include only certain entries
in the included files. You can do this by setting the starting
GID or UID so high that
.B nothing
is initially included in the output, and then use enumeration
features described above to explicitly name the entries you
actually want in the output:
 
.ft C \" Courier
.nf
mkapachepw.py -I mygroups.inc -g 100001 -G "+admins +webmasters +4433"
.fi
.ft \" revert
 
This would include
.B all
the system users whose UID was 100 or greater in the user output file.
It would then produce a group output file whose only entries would be
the groups \fCadmins\fP, \fCwebmasters\fP (regardless whether they
were found in the OS group database or in the included file
\fCmygroups.inc\fP), and the group whose GID was 4433.
 
 
.TP
.B -I
 
 
 
 
.SH OTHER
\'mkapachepw\' is a pure-Python module and should run anywhere a
\fCmkapachepw\fP is a pure-Python module and should run anywhere a
recent Python implementation is found. However, it is Unix-specific
in that it requires the \'pwd\' and \'grp\' modules for accessing the
underlying OS user and group databases. Note that access to these
system databases requires the program be run by the root user.
.SH BUGS AND MISFEATURES
None known as of this release.
 
.SH COPYRIGHT AND LICENSING
\'mkapachepw\' is Copyright (c) \*(CP TundraWare Inc. For terms of use, see
\fCmkapachepw\fP is Copyright (c) \*(CP TundraWare Inc. For terms of use, see
the mkapachepw-license.txt file in the program distribution. If you
install \'mkapachepw\' on a FreeBSD system using the 'ports' mechanism, you
install \fCmkapachepw\fP on a FreeBSD system using the 'ports' mechanism, you
will also find this file in /usr/local/share/doc/mkapachepw.
 
\'mkapachepw\' is free for individual, non-commerical, personal
\fCmkapachepw\fP is free for individual, non-commerical, personal
use. Use in any setting where there is any remuneration,
direct or indirect, requires payment of a licensing fee.
 
Individual, multiple, and enterprise licensing is available.
.fi
.ft \" revert
 
.SH DOCUMENT REVISION INFORMATION
$Id: mkapachepw.1,v 1.102 2005/04/12 08:28:28 toor Exp $
 
 
 
$Id: mkapachepw.1,v 1.103 2005/04/12 09:22:30 toor Exp $