On Fri, Oct 29, 2010 at 11:25 AM, Henning Brauer <[email protected]> wrote: > * Philip Guenther <[email protected]> [2010-10-29 19:48]: > >> Group-per-user setups solve this by letting people safely have a umask >> of 007 or 002. When they do work in a directory whose group is a >> secondary group, the resulting files are (and stay) writable by the >> group**. Permitting that change in default umask eliminates the >> requirement for manual changes and their cognitive load as the user >> moves between projects and directories. Fewer forgets and mistakes >> meant fewer emails to root asking for me to fix the perms on some file >> while so-and-so was on vacation, etc. > > I have to agree here.
Same here. Really, I'm surprised that anyone is using the 'users' group at all these days, especially on OpenBSD. If all users are in the same group, group permissions are no different from world permissions. The book "Mastering FreeBSD and OpenBSD security" talks about per-user groups being the best option here: http://books.google.com/books?id=gqKwaHmXp4YC&lpg=PA119&ots=jioDgXRI6T&dq=uni x%20%22per-user%20groups%22&pg=PA119#v=onepage&q=unix%20%22per-user%20groups% 22&f=false Add the FreeBSD manual here: http://www.freebsd.org/cgi/man.cgi?query=adduser&sektion=8#UNIQUE_GROUPS useradd/del/mod/info were meant to be low-level tools for scripts to use. adduser and rmuser are higher-level and can be used interactively. rmuser for example removes a users cron/at jobs and /var/mail file and adduser can send a welcome email to the user - userdel/add don't. I don't add users with the OpenBSD installer because it does the wrong thing and should be fixed to use the adduser defaults. :) Daniel
