[gentoo-user] default user permissions

[gentoo-user] default user permissions

[Hinko Kocevar]

Hi,

Where is defined what permissions will the newly created folder/file
have by default?

Eg. When creating a folder I would like it to have permissions right
after it is created, to void use of chmod/chown afterwards:

drwxrwxr-x 2 hinko users    4096 Mar 25 09:23 folder1

while now I get only:
drwxr-xr-x 2 hinko users    4096 Mar 25 09:23 folder1

That is group should have 'w' set.


Thank you!

Best regards,
Hinko

-- 
Hinko Kocevar
Technical support software engineer
Instrumentation Technologies
Velika pot 22, SI-5250 Solkan - Slovenia
T:+386 5 3352600, F:+386 5 3352601
mailto: hinko.kocevar@i-tech.si

http://www.i-tech.si - When your users demand stability

The information transmitted is intended solely for the addressee and may
contain confidential and/or privileged information. Any review, retention,
disclosure or other use by persons other than the intended recipient is
prohibited. If you received this in error, please notify the sender and
delete all copies.

Re: [gentoo-user] default user permissions

[Alan McKinnon]

On Thursday 25 March 2010 10:26:25 Hinko Kocevar wrote:
> Hi,
> 
> Where is defined what permissions will the newly created folder/file
> have by default?

This is done by the umask of the user creating the folder.


> 
> Eg. When creating a folder I would like it to have permissions right
> after it is created, to void use of chmod/chown afterwards:
> 
> drwxrwxr-x 2 hinko users    4096 Mar 25 09:23 folder1
> 
> while now I get only:
> drwxr-xr-x 2 hinko users    4096 Mar 25 09:23 folder1
> 
> That is group should have 'w' set.


This is a common misunderstanding about permissions and the Unix philosophy 
about them, which is:

It's up to the user, not the system, to say what permissions he wants on new 
filesystem objects.

Modifing the user's umask is not advised, as this is global. *Every* new file 
or dir then ends up with g+w and you probably don't want that.

You need to use Posix ACLs for this, and your file system and kernel must 
support them; you configure it per directory. It's all in man pages and on 
google - better start reading.

Be warned though: you *will* forget you set this, and *will* wonder in future 
why g+w is set in various places. "ls" gives precious little clue that an ACL 
is in place.

I find that in real life, a "find -exec chmod" in a cron is a better solution

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] default user permissions

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 2072 bytes --]

Am 25.03.2010 09:50, schrieb Alan McKinnon:
> On Thursday 25 March 2010 10:26:25 Hinko Kocevar wrote:
>> Hi,
>>
>> Where is defined what permissions will the newly created folder/file
>> have by default?
> 
> This is done by the umask of the user creating the folder.
> 
> 
>>
>> Eg. When creating a folder I would like it to have permissions right
>> after it is created, to void use of chmod/chown afterwards:
>>
>> drwxrwxr-x 2 hinko users    4096 Mar 25 09:23 folder1
>>
>> while now I get only:
>> drwxr-xr-x 2 hinko users    4096 Mar 25 09:23 folder1
>>
>> That is group should have 'w' set.
> 
> 
> This is a common misunderstanding about permissions and the Unix philosophy 
> about them, which is:
> 
> It's up to the user, not the system, to say what permissions he wants on new 
> filesystem objects.
> 
> Modifing the user's umask is not advised, as this is global. *Every* new file 
> or dir then ends up with g+w and you probably don't want that.
> 
> You need to use Posix ACLs for this, and your file system and kernel must 
> support them; you configure it per directory. It's all in man pages and on 
> google - better start reading.
> 
> Be warned though: you *will* forget you set this, and *will* wonder in future 
> why g+w is set in various places. "ls" gives precious little clue that an ACL 
> is in place.
> 
> I find that in real life, a "find -exec chmod" in a cron is a better solution
> 

To avoid ACLs and still have group rw rights on some folders for
specific groups, you can make use of the 'user private group' scheme and
the setgid bit: [1].

Gentoo uses this scheme per default, although I think the umask setting
is different (has to be 002 or 007).

What Alan forgot to tell is where to set the umask: /etc/profile. Don't
use too strict settings because these are also applied to system
accounts. This can easily break your system.

[1]
http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-users-groups-private-groups.html

Hope this helps,
Florian Philipp


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-user] default user permissions

[Hinko Kocevar]

Hi,

Thanks for the help.

Best regards,
Hinko

On 03/25/10 22:43, Florian Philipp wrote:
> Am 25.03.2010 09:50, schrieb Alan McKinnon:
>> On Thursday 25 March 2010 10:26:25 Hinko Kocevar wrote:
>>> Hi,
>>>
>>> Where is defined what permissions will the newly created folder/file
>>> have by default?
>>
>> This is done by the umask of the user creating the folder.
>>
>>
>>>
>>> Eg. When creating a folder I would like it to have permissions right
>>> after it is created, to void use of chmod/chown afterwards:
>>>
>>> drwxrwxr-x 2 hinko users    4096 Mar 25 09:23 folder1
>>>
>>> while now I get only:
>>> drwxr-xr-x 2 hinko users    4096 Mar 25 09:23 folder1
>>>
>>> That is group should have 'w' set.
>>
>>
>> This is a common misunderstanding about permissions and the Unix philosophy 
>> about them, which is:
>>
>> It's up to the user, not the system, to say what permissions he wants on new 
>> filesystem objects.
>>
>> Modifing the user's umask is not advised, as this is global. *Every* new file 
>> or dir then ends up with g+w and you probably don't want that.
>>
>> You need to use Posix ACLs for this, and your file system and kernel must 
>> support them; you configure it per directory. It's all in man pages and on 
>> google - better start reading.
>>
>> Be warned though: you *will* forget you set this, and *will* wonder in future 
>> why g+w is set in various places. "ls" gives precious little clue that an ACL 
>> is in place.
>>
>> I find that in real life, a "find -exec chmod" in a cron is a better solution
>>
> 
> To avoid ACLs and still have group rw rights on some folders for
> specific groups, you can make use of the 'user private group' scheme and
> the setgid bit: [1].
> 
> Gentoo uses this scheme per default, although I think the umask setting
> is different (has to be 002 or 007).
> 
> What Alan forgot to tell is where to set the umask: /etc/profile. Don't
> use too strict settings because these are also applied to system
> accounts. This can easily break your system.
> 
> [1]
> http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-users-groups-private-groups.html
> 
> Hope this helps,
> Florian Philipp
> 


-- 
Hinko Kocevar
Technical support software engineer
Instrumentation Technologies
Velika pot 22, SI-5250 Solkan - Slovenia
T:+386 5 3352600, F:+386 5 3352601
mailto: hinko.kocevar@i-tech.si

http://www.i-tech.si - When your users demand stability

The information transmitted is intended solely for the addressee and may
contain confidential and/or privileged information. Any review, retention,
disclosure or other use by persons other than the intended recipient is
prohibited. If you received this in error, please notify the sender and
delete all copies.