freedman@calgary.UUCP (Dan Freedman) (06/15/87)
Does anyone know what the PROJLIST environment variable is used for? In the manuals, this variable is reported to be used to determine whether users are "placed in their project lists" (or some such) when they log in. What does this mean? What are the advantages / disadvantages of being placed in one's project list? Our local Apollo people don't know. Dan Freedman. The University of Calgary Computer Science Department.
mishkin@apollo.UUCP (Nathaniel Mishkin) (06/16/87)
Does anyone know what the PROJLIST environment variable is used for?
In the manuals, this variable is reported to be used to determine
whether users are "placed in their project lists" (or some such)
when they log in. What does this mean? What are the advantages
/ disadvantages of being placed in one's project list? Our local
Apollo people don't know.
A process's identity is a (person, project, organization, node,
project-list) tuple. This identity is used for all rights (access)
checking. A "project-list" is simply a vector of projects. If PROJLIST
is NOT "true", then when you log in, your identity is set to have a null
project list. If PROJLIST is "true", then your identity is set to have
a project list that is made up from the project field from all your
accounts in the registry (i.e. all accounts that have the same person
field as the one your logging in under).
Access checking uses your project list in the following way: If the
ACL you're being checked against doesn't have a match based on your
(person, project, organization), then if the ACL has an entry of the
form "%.someproj.%.%", and "someproj" is in your project-list, the rights
associated with that entry apply to you.
Phew.
In case it's not obvious, this is all mechanism to support the BSD stuff
that allows you to be in multiple groups.
-- Nat Mishkin
Apollo Computer Inc.
-------pato@apollo.uucp (Joe Pato) (06/16/87)
In article <970@vaxb.calgary.UUCP> freedman@calgary.UUCP (Dan Freedman) writes: > >Does anyone know what the PROJLIST environment variable is used for? >In the manuals, this variable is reported to be used to determine >whether users are "placed in their project lists" (or some such) when >they log in. What does this mean? What are the advantages / disadvantages >of being placed in one's project list? Our local Apollo people don't know. > > Dan Freedman. > The University of Calgary Computer Science Department. With BSD4.1a and later BSD derived versions of UNIX, a user process has a set of groups associated with it. (these groups can be examined with getgroups(2) and set with setgroups(2) ). When checking access permissions, (assuming arguendo that the group access bits are the only ones of interest) you are granted access to a file if you are a member of a group that has group permissions to that file. You do not need to have a real or effective group ID of the file's group, you merely must have that group in your process' group set. Normally a process' group set corresponds to the list of groups the user belongs to (the login group in /etc/passwd plus the groups that this user is a member of as defined by /etc/group). /bin/login does this by calling initgroups(3X). This functionality essentially renders the old newgrp(1) command obsolete. Apollo provides this functionality in a number of ways. If the UNIXLOGIN environment variable is set in the node's startup script, then logins will exhibit this behavior, but will also causes some other "unix oriented" changes to the login sequence. The PROJLIST (note that in AEGIS terminology projects are equivalent to UNIX groups hence the name PROJLIST) environment variable was created to allow users to retain the AEGIS login sequence while accessing this functionality. If neither the UNIXLOGIN nor the PROJLIST environment variables are set, then login will not establish a set of associated groups, and only the real and effective group IDs will be used for access control checking. This behavior is consistent with pre sr9.0 Aegis and with ATT SYSV UNIX. Joe Pato UUCP: ...{attunix,uw-beaver,brunix}!apollo!pato Apollo Computer Inc. ARPA: apollo!pato@mit-eddie.arpa