[gentoo-user] OT: Filesystem permissions

[gentoo-user] OT: Filesystem permissions

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 1080 bytes --]

Hi list!

I'm a bit dissatisfied with the way umask and filesystem permissions
work and I'd like to know if a) this is due to misunderstanding on my
part and/or b) there is a clean workaround I'm unaware of.

Let's say I have a system with various users working on some sensible
data. Therefore I have to set up various security policies regarding
file permissions and so forth.

For example every $HOME-directory should be only readable to the user
himself (e.g. for user phil_fl: chown phil_fl:phil:fl; umask 0077 or
0007).

Then there might be a common folder for all users in a specific group
as a simple way of sharing files. These shall be accessible by every
user in the group but by none else, so for the user phil_fl and the
group users: chown phil_fl:users; umask 0007.

As we see, the umask itself isn't the problem (in this special case)
but the group is it, however, there might be cases in which need to
change both for special folders. How do I do this without needing any
interaction from the users?

Thanks in advance!

Florian Philipp

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] OT: Filesystem permissions

[Alan McKinnon]

On Thursday 03 July 2008, Florian Philipp wrote:
> Hi list!
>
> I'm a bit dissatisfied with the way umask and filesystem permissions
> work and I'd like to know if a) this is due to misunderstanding on my
> part and/or b) there is a clean workaround I'm unaware of.
>
> Let's say I have a system with various users working on some sensible
> data. Therefore I have to set up various security policies regarding
> file permissions and so forth.
>
> For example every $HOME-directory should be only readable to the user
> himself (e.g. for user phil_fl: chown phil_fl:phil:fl; umask 0077 or
> 0007).
>
> Then there might be a common folder for all users in a specific group
> as a simple way of sharing files. These shall be accessible by every
> user in the group but by none else, so for the user phil_fl and the
> group users: chown phil_fl:users; umask 0007.
>
> As we see, the umask itself isn't the problem (in this special case)
> but the group is it, however, there might be cases in which need to
> change both for special folders. How do I do this without needing any
> interaction from the users?

umask does nothing for you here, it is simply a default starting point 
for the permissions of new files and directories and the user is 
completely free to change it to anything they feel like.

Yes, this is by design. Yes, this is a very good thing :-)

You want to set the setgid bit on the containing directory and chgrp 
that directory to the group involved.

A bit of googling will help you further, if you get stuck or have no 
idea what I could possibly be on about, post back and I'll post the 
full story. It's quite involved and if it were code, it would be a 
heavily nested if clause

-- 
Alan McKinnon
alan dot mckinnon at gmail dot com

-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] OT: Filesystem permissions

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 1756 bytes --]

On Thu, 3 Jul 2008 17:52:29 +0200
Alan McKinnon <alan.mckinnon@gmail.com> wrote:

> On Thursday 03 July 2008, Florian Philipp wrote:
> > Hi list!
> >
> > I'm a bit dissatisfied with the way umask and filesystem permissions
> > work and I'd like to know if a) this is due to misunderstanding on
> > my part and/or b) there is a clean workaround I'm unaware of.
> >
> > Let's say I have a system with various users working on some
> > sensible data. Therefore I have to set up various security policies
> > regarding file permissions and so forth.
> >
> > For example every $HOME-directory should be only readable to the
> > user himself (e.g. for user phil_fl: chown phil_fl:phil:fl; umask
> > 0077 or 0007).
> >
> > Then there might be a common folder for all users in a specific
> > group as a simple way of sharing files. These shall be accessible
> > by every user in the group but by none else, so for the user
> > phil_fl and the group users: chown phil_fl:users; umask 0007.
> >
> > As we see, the umask itself isn't the problem (in this special case)
> > but the group is it, however, there might be cases in which need to
> > change both for special folders. How do I do this without needing
> > any interaction from the users?
> 
> umask does nothing for you here, it is simply a default starting
> point for the permissions of new files and directories and the user
> is completely free to change it to anything they feel like.
> 
> Yes, this is by design. Yes, this is a very good thing :-)
> 
> You want to set the setgid bit on the containing directory and chgrp 
> that directory to the group involved.

Argh, of course!
I even read this stuff up this morning but I overlooked the paragraph!

Thanks!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] OT: Filesystem permissions

[Daniel Iliev]

On Thu, 3 Jul 2008 17:40:01 +0200
Florian Philipp <lists@f_philipp.fastmail.net> wrote:

> Hi list!
> 
> I'm a bit dissatisfied with the way umask and filesystem permissions
> work and I'd like to know if a) this is due to misunderstanding on my
> part and/or b) there is a clean workaround I'm unaware of.
> 
> Let's say I have a system with various users working on some sensible
> data. Therefore I have to set up various security policies regarding
> file permissions and so forth.
> 
> For example every $HOME-directory should be only readable to the user
> himself (e.g. for user phil_fl: chown phil_fl:phil:fl; umask 0077 or
> 0007).
> 
> Then there might be a common folder for all users in a specific group
> as a simple way of sharing files. These shall be accessible by every
> user in the group but by none else, so for the user phil_fl and the
> group users: chown phil_fl:users; umask 0007.
> 
> As we see, the umask itself isn't the problem (in this special case)
> but the group is it, however, there might be cases in which need to
> change both for special folders. How do I do this without needing any
> interaction from the users?
> 
> Thanks in advance!
> 
> Florian Philipp


AFAIK it was RedHat who introduced the so called "User Private Groups"
scheme which is convenient exactly for situations like yours. Gentoo
also uses that scheme by default.

In short, instead of creating all user accounts as members of the group
"users", now for every user account useradd(8) creates a "private"
group for the account in addition. "Peter" is created with main group
"Peter", "Ann" is created with main group "Ann" and so on.

If you wanted "Peter" and "Ann" to share a common folder, you have to
create a common group for them (e.g. "project") and add each of them to
that group. Then create a directory with owner "root:project" and the
GID bit on. The GID bit makes the newly created files in the directory
to be owned by the group "project", instead by the group of the user
creating the file.

P.S.

This schema may be convenient for some things but as usual it also has
some disadvantages for others. I have asked here about one of the
disadvantages (my personal point of view) when I discovered there was a
new scheme:

http://thread.gmane.org/gmane.linux.gentoo.user/190110

-- 
Best regards,
Daniel
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] OT: Filesystem permissions

[Dirk Heinrichs]

[-- Attachment #1: Type: text/plain, Size: 684 bytes --]

Am Donnerstag, 3. Juli 2008 schrieb Florian Philipp:

> Then there might be a common folder for all users in a specific group
> as a simple way of sharing files. These shall be accessible by every
> user in the group but by none else, so for the user phil_fl and the
> group users: chown phil_fl:users; umask 0007.

Forget umask, you have to adjust the permissions of that _directory_ 
accordingly:

chmod 770 groupdir

and, as others already wrote, eventually set the SGID bit so that all files 
within are owned by the group you want.

You can later add permissions for other users or groups by using ACLs, see man 
pages of setfacl and getfacl.

HTH...

	Dirk

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] OT: Filesystem permissions

[Dirk Heinrichs]

[-- Attachment #1: Type: text/plain, Size: 253 bytes --]

Am Freitag, 4. Juli 2008 schrieb Dirk Heinrichs:

> You can later add permissions for other users or groups by using ACLs, see
> man pages of setfacl and getfacl.

...given that you have compiled your filesystem modules with ACL support.

Bye...

	Dirk

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] OT: Filesystem permissions

[Alan McKinnon]

On Thursday 03 July 2008, Florian Philipp wrote:
> > You want to set the setgid bit on the containing directory and
> > chgrp that directory to the group involved.
>
> Argh, of course!
> I even read this stuff up this morning but I overlooked the
> paragraph!

In all likely-hood you will want to set the write bit for groups on as 
well (for the setup to be truly useful as a group share). For that you 
will need posix acls, there's no way to do it with just permissions and 
defaults.

-- 
Alan McKinnon
alan dot mckinnon at gmail dot com

-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] OT: Filesystem permissions

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 1087 bytes --]

On Fri, 4 Jul 2008 16:24:52 +0200
Alan McKinnon <alan.mckinnon@gmail.com> wrote:

> On Thursday 03 July 2008, Florian Philipp wrote:
> > > You want to set the setgid bit on the containing directory and
> > > chgrp that directory to the group involved.
> >
> > Argh, of course!
> > I even read this stuff up this morning but I overlooked the
> > paragraph!
> 
> In all likely-hood you will want to set the write bit for groups on
> as well (for the setup to be truly useful as a group share). For that
> you will need posix acls, there's no way to do it with just
> permissions and defaults.
> 

I've just set the umask 0007 in /etc/profile. With the rule that
every user has his own primary group (as it is default), this is
sufficient for my needs.

I haven't tested every application but at least konqueror seems to
respect this setting.

If I can avoid the usage of acls with a few global settings, I'm
willing to do so. The prospect of having two levels of filesystem
permissions, each only visible with different, dedicated tools, cause me
headaches. ;)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] OT: Filesystem permissions

[Alan McKinnon]

On Friday 04 July 2008, Florian Philipp wrote:

> I've just set the umask 0007 in /etc/profile. With the rule that
> every user has his own primary group (as it is default), this is
> sufficient for my needs.

Hmmm. That gives permissions:

rw-rw----

on every single new file created by every single user by default.

If you are happy with that, so be it. I would not be happy with that :-)


-- 
Alan McKinnon
alan dot mckinnon at gmail dot com

-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] OT: Filesystem permissions

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 780 bytes --]

On Fri, 4 Jul 2008 18:35:58 +0200
Alan McKinnon <alan.mckinnon@gmail.com> wrote:

> On Friday 04 July 2008, Florian Philipp wrote:
> 
> > I've just set the umask 0007 in /etc/profile. With the rule that
> > every user has his own primary group (as it is default), this is
> > sufficient for my needs.
> 
> Hmmm. That gives permissions:
> 
> rw-rw----
> 
> on every single new file created by every single user by default.
> 
> If you are happy with that, so be it. I would not be happy with
> that :-)
> 
> 

Since every user has another primary group this doesn't cause problems.
Only on folders with SETGID where the group is changed by design this
umask causes other users to have write and read permissions and that's
what I wanted in the first place.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] OT: Filesystem permissions

[Dirk Heinrichs]

[-- Attachment #1: Type: text/plain, Size: 1020 bytes --]

Am Freitag, 4. Juli 2008 schrieb Florian Philipp:
> On Fri, 4 Jul 2008 18:35:58 +0200
>
> Alan McKinnon <alan.mckinnon@gmail.com> wrote:
> > On Friday 04 July 2008, Florian Philipp wrote:
> > > I've just set the umask 0007 in /etc/profile. With the rule that
> > > every user has his own primary group (as it is default), this is
> > > sufficient for my needs.
> >
> > Hmmm. That gives permissions:
> >
> > rw-rw----
> >
> > on every single new file created by every single user by default.
> >
> > If you are happy with that, so be it. I would not be happy with
> > that :-)
>
> Since every user has another primary group this doesn't cause problems.
> Only on folders with SETGID where the group is changed by design this
> umask causes other users to have write and read permissions and that's
> what I wanted in the first place.

And what about the packages you install/update as root? I'd bet that not all 
give the exact permissions when calling "install".

Bad idea.

Bye...

	Dirk

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] OT: Filesystem permissions

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 1382 bytes --]

On Fri, 4 Jul 2008 20:08:43 +0200
Dirk Heinrichs <dirk.heinrichs@online.de> wrote:

> Am Freitag, 4. Juli 2008 schrieb Florian Philipp:
> > On Fri, 4 Jul 2008 18:35:58 +0200
> >
> > Alan McKinnon <alan.mckinnon@gmail.com> wrote:
> > > On Friday 04 July 2008, Florian Philipp wrote:
> > > > I've just set the umask 0007 in /etc/profile. With the rule that
> > > > every user has his own primary group (as it is default), this is
> > > > sufficient for my needs.
> > >
> > > Hmmm. That gives permissions:
> > >
> > > rw-rw----
> > >
> > > on every single new file created by every single user by default.
> > >
> > > If you are happy with that, so be it. I would not be happy with
> > > that :-)
> >
> > Since every user has another primary group this doesn't cause
> > problems. Only on folders with SETGID where the group is changed by
> > design this umask causes other users to have write and read
> > permissions and that's what I wanted in the first place.
> 
> And what about the packages you install/update as root? I'd bet that
> not all give the exact permissions when calling "install".
> 
> Bad idea.
> 
> Bye...
> 
> 	Dirk

Hmm, good point. I will monitor the situation.
If there are any occurrences of wrong permissions, I think it will be
sufficient to make an if-clause before setting the umask but maybe it
proves unneccessary.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] OT: Filesystem permissions

[Alan McKinnon]

On Friday 04 July 2008, Florian Philipp wrote:
> Hmm, good point. I will monitor the situation.
> If there are any occurrences of wrong permissions, I think it will be
> sufficient to make an if-clause before setting the umask but maybe it
> proves unneccessary.

I think what you really want in this case is to set the umask to 0007 
for human users and leave it as is for system users. You could either 
check for UID > 1000 in /etc/profile, or explicitly add the umask 
setting to each existing user's .bashrc. Also add it to /etc/skel to 
enable it for any new users in the future.

Which is starting to get more complex than a simple acl :-)

Experience has taught me that these general principles apply to Unix 
permissions pretty much always: 

- the normal /user/group/rwx scheme works just fine 99% of the time
- 1% of the time you have an unusual need that the above doesn't cater 
for, but a simple unobtrusive acl does. These cases are usually 
obvious.
- if you are using acl's a lot, there's probably something wrong with 
your permission scheme

-- 
Alan McKinnon
alan dot mckinnon at gmail dot com

-- 
gentoo-user@lists.gentoo.org mailing list