Re: [gentoo-user] OT: Filesystem permissions

[Daniel Iliev <daniel.iliev@gmail.com>]

On Thu, 3 Jul 2008 17:40:01 +0200
Florian Philipp <lists@f_philipp.fastmail.net> wrote:

> Hi list!
> 
> I'm a bit dissatisfied with the way umask and filesystem permissions
> work and I'd like to know if a) this is due to misunderstanding on my
> part and/or b) there is a clean workaround I'm unaware of.
> 
> Let's say I have a system with various users working on some sensible
> data. Therefore I have to set up various security policies regarding
> file permissions and so forth.
> 
> For example every $HOME-directory should be only readable to the user
> himself (e.g. for user phil_fl: chown phil_fl:phil:fl; umask 0077 or
> 0007).
> 
> Then there might be a common folder for all users in a specific group
> as a simple way of sharing files. These shall be accessible by every
> user in the group but by none else, so for the user phil_fl and the
> group users: chown phil_fl:users; umask 0007.
> 
> As we see, the umask itself isn't the problem (in this special case)
> but the group is it, however, there might be cases in which need to
> change both for special folders. How do I do this without needing any
> interaction from the users?
> 
> Thanks in advance!
> 
> Florian Philipp


AFAIK it was RedHat who introduced the so called "User Private Groups"
scheme which is convenient exactly for situations like yours. Gentoo
also uses that scheme by default.

In short, instead of creating all user accounts as members of the group
"users", now for every user account useradd(8) creates a "private"
group for the account in addition. "Peter" is created with main group
"Peter", "Ann" is created with main group "Ann" and so on.

If you wanted "Peter" and "Ann" to share a common folder, you have to
create a common group for them (e.g. "project") and add each of them to
that group. Then create a directory with owner "root:project" and the
GID bit on. The GID bit makes the newly created files in the directory
to be owned by the group "project", instead by the group of the user
creating the file.

P.S.

This schema may be convenient for some things but as usual it also has
some disadvantages for others. I have asked here about one of the
disadvantages (my personal point of view) when I discovered there was a
new scheme:

http://thread.gmane.org/gmane.linux.gentoo.user/190110

-- 
Best regards,
Daniel
-- 
gentoo-user@lists.gentoo.org mailing list