jimzah/openafs
1
0
Fork 0
mirror of https://git.openafs.org/openafs.git synced 2025-01-18 15:00:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

DEVEL15-man-page-pts-membership-privilege-20090118

Browse Source 
FIXES 124151
LICENSE BSD

Add system:ptsviewers to the privilege documentation of pts membership and
try to clarify the privilege required by being less verbose and hopefully
more direct.


(cherry picked from commit d781450cf3)
This commit is contained in:
Russ Allbery 2009-01-19 03:32:18 +00:00
parent 3bf819947e
commit ca5ad7b634
1 changed files with 16 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
doc/man-pages/pod1/pts_membership.pod
View File

@ -34,7 +34,7 @@ It is not possible to list the members of the system:anyuser or
system:authuser groups, and they do not appear in the list of groups to
which a user belongs.
To add users or machine to groups, use the pts adduser command; to remove
To add users or machine to groups, use the B<pts adduser> command; to remove
them, use the B<pts removeuser> command.
=head1 OPTIONS
@ -112,45 +112,35 @@ non-administrative user to obtain this listing.
=head1 PRIVILEGE REQUIRED
The required privilege depends on the setting of the third privacy flag in
the Protection Database entry of each user or group indicated by the
B<-nameorid> argument (use the B<pts examine> command to display the
Members of the groups system:ptsviewers and system:administrators can
always use this command in any of its variations. Additionally, a user
can always list the groups to which they belong, and the owner of a group
can always list the members of the group.
Additional privileges may be granted by the setting of the third privacy
flag in the Protection Database entry of each user or group indicated by
the B<-nameorid> argument (use the B<pts examine> command to display the
flags):
=over 4
=item *
If it is the hyphen and the B<-nameorid> argument specifies a user, only
the associated user and members of the system:administrators group can
list the groups to which the user belongs.
=item *
If it is the hyphen and the B<-nameorid> argument specifies a machine,
only the members of the system:administrators group can list the groups to
which the machine belongs.
=item *
If it is the hyphen and the B<-nameorid> argument specifies a group, only
the owner of the group and members of the system:administrators group can
list the members of the group.
=item *
If it is lowercase C<m> and the B<-nameorid> argument specifies a user or
machine entry, the meaning is equivalent to the hyphen.
If it is a hypen, the default permissions described above apply.
=item *
If it is lowercase C<m> and the B<-nameorid> argument specifies a group,
members of the group can also list the other members.
members of that group can also list the other members. A privacy flag of
C<m> only changes the permissions when set for a group. Setting this flag
for a user or a machine has no effect.
=item *
If it is uppercase C<M>, anyone who can access the cell's database server
machines can list group memberships.
machines can list the membership of the group or the groups to which that
user or machine belongs, depending on what type of entry the flag is set
on.
=back