On Fri, 2012-10-26 at 09:36 +0200, Ondrej Valousek wrote: > Well, you do not need ACLs for that, just 'chmod g+s <directory>' will > do.
This is what makes people ask for changing the GID, which is suboptimal on many accounts. The reason why FreeIPA creates a User Private Group is that the default umask prettyt much everywhere allows the primary group access to new files created, so if the primary group is shared among users it means that by default users cannot expect privacy. This is not nice. > But in general, I agree, this is insane requirement as nobody would > ever think of it in Windows. Not happy w/ a traditional Unix > permissions? Go for ACLs. Default ACLs are very, very useful and enormously more powerful than the sgid bit. I strongly recommend using ACLs for complex default ownership requirements. > The only pity is that the current Posix-draft hack widely used on all > Linuxes is a mess and Rich-acl support is still nowhere in sight :-( Sorry sir, but technically it is the sgid bit that is a gross hack. The Posix draft for ACLs never got final approval, but it is pretty standardized across most OSs, and works fine for any Linux OS that isn;t on ancient kernels. It is also enabled by default on all file systems that matter normally. Rich-ACL, while cool and necessary for NFS ACL and better Windows ACL compatibility will also be much more complex than Posix ACLs, and does not add anything special for the default ACL use case. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users