1 |
On Thu, 3 Jul 2008 17:52:29 +0200 |
2 |
Alan McKinnon <alan.mckinnon@×××××.com> wrote: |
3 |
|
4 |
> On Thursday 03 July 2008, Florian Philipp wrote: |
5 |
> > Hi list! |
6 |
> > |
7 |
> > I'm a bit dissatisfied with the way umask and filesystem permissions |
8 |
> > work and I'd like to know if a) this is due to misunderstanding on |
9 |
> > my part and/or b) there is a clean workaround I'm unaware of. |
10 |
> > |
11 |
> > Let's say I have a system with various users working on some |
12 |
> > sensible data. Therefore I have to set up various security policies |
13 |
> > regarding file permissions and so forth. |
14 |
> > |
15 |
> > For example every $HOME-directory should be only readable to the |
16 |
> > user himself (e.g. for user phil_fl: chown phil_fl:phil:fl; umask |
17 |
> > 0077 or 0007). |
18 |
> > |
19 |
> > Then there might be a common folder for all users in a specific |
20 |
> > group as a simple way of sharing files. These shall be accessible |
21 |
> > by every user in the group but by none else, so for the user |
22 |
> > phil_fl and the group users: chown phil_fl:users; umask 0007. |
23 |
> > |
24 |
> > As we see, the umask itself isn't the problem (in this special case) |
25 |
> > but the group is it, however, there might be cases in which need to |
26 |
> > change both for special folders. How do I do this without needing |
27 |
> > any interaction from the users? |
28 |
> |
29 |
> umask does nothing for you here, it is simply a default starting |
30 |
> point for the permissions of new files and directories and the user |
31 |
> is completely free to change it to anything they feel like. |
32 |
> |
33 |
> Yes, this is by design. Yes, this is a very good thing :-) |
34 |
> |
35 |
> You want to set the setgid bit on the containing directory and chgrp |
36 |
> that directory to the group involved. |
37 |
|
38 |
Argh, of course! |
39 |
I even read this stuff up this morning but I overlooked the paragraph! |
40 |
|
41 |
Thanks! |