[2205] in Release_7.7_team
Re: Fwd: A question about how groups get handled
daemon@ATHENA.MIT.EDU (Garry Zacheiss)
Wed Apr 5 14:38:00 2000
Message-Id: <200004051837.OAA22384@shock-treatment.mit.edu>
To: Greg Hudson <ghudson@MIT.EDU>
cc: Tim McGovern <tjm@MIT.EDU>, release-team@MIT.EDU, grouper@MIT.EDU
In-Reply-To: Your message of "Tue, 04 Apr 2000 15:59:15 EDT."
<200004041959.PAA00040@small-gods.mit.edu>
Date: Wed, 05 Apr 2000 14:37:47 -0400
From: Garry Zacheiss <zacheiss@MIT.EDU>
>> moira determines the order. I'll let a moira person answer this
>> question, since I don't know for sure.
Specifically, the order of the groups in your hesiod grplist are
determined by the list_id of the list in the list table, which is the
unique number moira uses internally to keep track of lists. In general,
greater list_id's correspond to more recently created lists. It's
possible to change a list's list_id to make it appear early in your
grplist, but requires manual fiddling with the database and isn't
something I'd ever to want to do lots of.
>> > Oh, and speaking of visible or not, is there a clear definition of
>> > what it means for a list to be "visible" vs. "hidden"?
>>
>> I'll let a moira person answer this question.
Well, Jonathon already commented on this, but I'll chime in. It
depends a lot on what you mean by "clear definition". Moira certainly
has a rigorous idea of what it means for a list to be visible or hidden;
if it's hidden, you won't be able to view the membership or information
about the list without some sort of administrative access to the moira
database. You can, of course, use moira to determine if the list
exists, since you'll be given an "Insufficient permission to blah blah
blah" error when attempting your query.
However, as Jonathon points out, while making a list hidden
ostensibly prevents random users from getting information about it using
moira, there are other parts of our environment that make no such
distinction as the visible/hidden one. For example, you can get at
least an approximation of the membership of a mailing list using expn to
the mailhubs, and in the case of a list that's also a group, consult a
user's hesiod grplist in some cases to determine if they're a member of
the list. Implementing the "is an NFS group" functionality in moira
would solve the problem of allowing an arbitrary user to use hesiod
grplists to determine information they don't have permission to extract
from moira. It would do nothing about expn; expn could be turned off on
the mailhubs, but it's widely used enough and sufficiently useful for
diagnostic purposes that I would hesitate to do so, were it my decision.
Garry
