On Sun, 24 Mar 2002, Sven Vermeulen wrote:
> On Sun, Mar 24, 2002 at 08:09:53AM -0600, Ed Wilts wrote:
> > I personally like the 1 user per group functionality. Secure out of the box
> > is where I want to be. By default, no user has access to any other user's
> > data.
>
> This isn't due to the "1 user per group" functionality, but due to the fact
> that each users umask is set in such a way that members of the same group
> have read-access to their files (umask 026 iirc). So if you want all the
> users in one group (f.i. "lusers" - local users) and you make sure that all
> the users umasks are set in such a way that only the owner has permissions
> (umask 066), then the security is the same.
It's not so much for individual users' files that this idea is useful, but
for subgroups of users that want to share files. The 002 umask (see
/etc/bashrc) means that files created in the group's directory will be
group read-write automatically. Setting the setgid bit in the group
directory's permissions means that files created in it will inherit the
right gid, and the user-private group scheme ensures that the user's
private files remain unwritable by other users, even with the 002 umask.
Readability of user files is protected by the directory permissions.
> I personally dislike the "1 user per group" since it is a little bit more
> timeconsuming in the beginning to administer accounts.
But try setting up a shared directory for a subset of some group (like a
few members of users) or several groups (some members of faculty and
students, say) that does the right thing without it.
> Wkr,
> Sven Vermeulen
--
Matthew Saltzman
Clemson University Math Sciences
[EMAIL PROTECTED]
http://www.math.clemson.edu/~mjs
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
