1 |
On Thu, 3 Jul 2008 17:40:01 +0200 |
2 |
Florian Philipp <lists@f_philipp.fastmail.net> wrote: |
3 |
|
4 |
> Hi list! |
5 |
> |
6 |
> I'm a bit dissatisfied with the way umask and filesystem permissions |
7 |
> work and I'd like to know if a) this is due to misunderstanding on my |
8 |
> part and/or b) there is a clean workaround I'm unaware of. |
9 |
> |
10 |
> Let's say I have a system with various users working on some sensible |
11 |
> data. Therefore I have to set up various security policies regarding |
12 |
> file permissions and so forth. |
13 |
> |
14 |
> For example every $HOME-directory should be only readable to the user |
15 |
> himself (e.g. for user phil_fl: chown phil_fl:phil:fl; umask 0077 or |
16 |
> 0007). |
17 |
> |
18 |
> Then there might be a common folder for all users in a specific group |
19 |
> as a simple way of sharing files. These shall be accessible by every |
20 |
> user in the group but by none else, so for the user phil_fl and the |
21 |
> group users: chown phil_fl:users; umask 0007. |
22 |
> |
23 |
> As we see, the umask itself isn't the problem (in this special case) |
24 |
> but the group is it, however, there might be cases in which need to |
25 |
> change both for special folders. How do I do this without needing any |
26 |
> interaction from the users? |
27 |
> |
28 |
> Thanks in advance! |
29 |
> |
30 |
> Florian Philipp |
31 |
|
32 |
|
33 |
AFAIK it was RedHat who introduced the so called "User Private Groups" |
34 |
scheme which is convenient exactly for situations like yours. Gentoo |
35 |
also uses that scheme by default. |
36 |
|
37 |
In short, instead of creating all user accounts as members of the group |
38 |
"users", now for every user account useradd(8) creates a "private" |
39 |
group for the account in addition. "Peter" is created with main group |
40 |
"Peter", "Ann" is created with main group "Ann" and so on. |
41 |
|
42 |
If you wanted "Peter" and "Ann" to share a common folder, you have to |
43 |
create a common group for them (e.g. "project") and add each of them to |
44 |
that group. Then create a directory with owner "root:project" and the |
45 |
GID bit on. The GID bit makes the newly created files in the directory |
46 |
to be owned by the group "project", instead by the group of the user |
47 |
creating the file. |
48 |
|
49 |
P.S. |
50 |
|
51 |
This schema may be convenient for some things but as usual it also has |
52 |
some disadvantages for others. I have asked here about one of the |
53 |
disadvantages (my personal point of view) when I discovered there was a |
54 |
new scheme: |
55 |
|
56 |
http://thread.gmane.org/gmane.linux.gentoo.user/190110 |
57 |
|
58 |
-- |
59 |
Best regards, |
60 |
Daniel |
61 |
-- |
62 |
gentoo-user@l.g.o mailing list |