From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1KER8n-0003w6-L6 for garchives@archives.gentoo.org; Thu, 03 Jul 2008 15:54:37 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4BB1FE03D4; Thu, 3 Jul 2008 15:53:17 +0000 (UTC) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.178]) by pigeon.gentoo.org (Postfix) with ESMTP id 38521E03D4 for ; Thu, 3 Jul 2008 15:53:17 +0000 (UTC) Received: by py-out-1112.google.com with SMTP id w53so610356pyg.25 for ; Thu, 03 Jul 2008 08:53:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date :user-agent:references:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:message-id; bh=vmyKnjYb9wbtNqWkIRku9Gl59lvQXc63ObpsLgQOEiA=; b=vJNr17L4SH0U/xHrkij/pT1pQT46ZRByausxeANXuLHC/MNJpqkLNnOxZFoSA0uMGg dxB7enpIM5gmR42tUnUj6fdWp2AcJB8Gufw5+epZZpLDajjb3IljCOUm4oauKu+KaSCS REsVGq3Vy9HFtx7QSGsDTGtLTsR6ldoij7qkE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:user-agent:references:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :message-id; b=aCeom0gX2FUHckmo+jPKAYYPHM5ytKwSe+jHwCiDpjRH5i+g168nNhpLp6aPe08/J5 SieyEoeLIKd0Vj9OFul2LE628Ug3sQ6l5d2RkhdaJ7sryqcTE0oOVGMukG9btEx8lFPM SzT26DOOVFxWM5Ka63Ym1zR08G4w5Pe6KjJqA= Received: by 10.65.22.9 with SMTP id z9mr90698qbi.136.1215100396690; Thu, 03 Jul 2008 08:53:16 -0700 (PDT) Received: from ?10.0.0.3? ( [41.243.240.172]) by mx.google.com with ESMTPS id k27sm399857qba.10.2008.07.03.08.52.42 (version=SSLv3 cipher=RC4-MD5); Thu, 03 Jul 2008 08:53:15 -0700 (PDT) From: Alan McKinnon To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] OT: Filesystem permissions Date: Thu, 3 Jul 2008 17:52:29 +0200 User-Agent: KMail/1.9.9 References: <20080703174001.7066e5e3@NOTE_GENTOO64.PHHEIMNETZ> In-Reply-To: <20080703174001.7066e5e3@NOTE_GENTOO64.PHHEIMNETZ> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200807031752.29786.alan.mckinnon@gmail.com> X-Archives-Salt: e4bc5828-e2cf-4749-b9c8-4a45e8147723 X-Archives-Hash: c58c46f9ed2f7684041539c9d2dafb07 On Thursday 03 July 2008, Florian Philipp wrote: > Hi list! > > I'm a bit dissatisfied with the way umask and filesystem permissions > work and I'd like to know if a) this is due to misunderstanding on my > part and/or b) there is a clean workaround I'm unaware of. > > Let's say I have a system with various users working on some sensible > data. Therefore I have to set up various security policies regarding > file permissions and so forth. > > For example every $HOME-directory should be only readable to the user > himself (e.g. for user phil_fl: chown phil_fl:phil:fl; umask 0077 or > 0007). > > Then there might be a common folder for all users in a specific group > as a simple way of sharing files. These shall be accessible by every > user in the group but by none else, so for the user phil_fl and the > group users: chown phil_fl:users; umask 0007. > > As we see, the umask itself isn't the problem (in this special case) > but the group is it, however, there might be cases in which need to > change both for special folders. How do I do this without needing any > interaction from the users? umask does nothing for you here, it is simply a default starting point for the permissions of new files and directories and the user is completely free to change it to anything they feel like. Yes, this is by design. Yes, this is a very good thing :-) You want to set the setgid bit on the containing directory and chgrp that directory to the group involved. A bit of googling will help you further, if you get stuck or have no idea what I could possibly be on about, post back and I'll post the full story. It's quite involved and if it were code, it would be a heavily nested if clause -- Alan McKinnon alan dot mckinnon at gmail dot com -- gentoo-user@lists.gentoo.org mailing list