Access restrictions for Ace

Richard Durbin rd at sanger.ac.uk
Wed Oct 20 17:21:29 EST 1999


There have over the years been a number of solutions to giving write
access to a group of people for an acedb database.  By far the most
sound and least problematic has been the following:

make the executable setuid, by chmod 4755 xace tace
make all the database/* files, wspec/* files 644 as normally
add user ids you wish to have write access to wspec/passwd.wrm

The code expects this setuid mode, and does the following: on startup it
recovers the true userid of the user running the program, and switches 
back effective user-id to that user.  It only switches to the setuid id
(that owning the database files) when reading or writing files in the 
database directories.  All other file operations, including parsing and
exporting data, are done with the true user id.

Solutions using Unix groups require very careful setting of umask that
has proven very hard to administer and enforce.  We strongly advise
you to switch to the approach described above.

Alternatively, use aceserver/aceclient, which avoids these problems.

Richard
---




More information about the Acedb mailing list