From: Florian Philipp <lists@f_philipp.fastmail.net>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] default user permissions
Date: Thu, 25 Mar 2010 22:43:36 +0100 [thread overview]
Message-ID: <4BABD908.8050007@f_philipp.fastmail.net> (raw)
In-Reply-To: <201003251050.59336.alan.mckinnon@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2072 bytes --]
Am 25.03.2010 09:50, schrieb Alan McKinnon:
> On Thursday 25 March 2010 10:26:25 Hinko Kocevar wrote:
>> Hi,
>>
>> Where is defined what permissions will the newly created folder/file
>> have by default?
>
> This is done by the umask of the user creating the folder.
>
>
>>
>> Eg. When creating a folder I would like it to have permissions right
>> after it is created, to void use of chmod/chown afterwards:
>>
>> drwxrwxr-x 2 hinko users 4096 Mar 25 09:23 folder1
>>
>> while now I get only:
>> drwxr-xr-x 2 hinko users 4096 Mar 25 09:23 folder1
>>
>> That is group should have 'w' set.
>
>
> This is a common misunderstanding about permissions and the Unix philosophy
> about them, which is:
>
> It's up to the user, not the system, to say what permissions he wants on new
> filesystem objects.
>
> Modifing the user's umask is not advised, as this is global. *Every* new file
> or dir then ends up with g+w and you probably don't want that.
>
> You need to use Posix ACLs for this, and your file system and kernel must
> support them; you configure it per directory. It's all in man pages and on
> google - better start reading.
>
> Be warned though: you *will* forget you set this, and *will* wonder in future
> why g+w is set in various places. "ls" gives precious little clue that an ACL
> is in place.
>
> I find that in real life, a "find -exec chmod" in a cron is a better solution
>
To avoid ACLs and still have group rw rights on some folders for
specific groups, you can make use of the 'user private group' scheme and
the setgid bit: [1].
Gentoo uses this scheme per default, although I think the umask setting
is different (has to be 002 or 007).
What Alan forgot to tell is where to set the umask: /etc/profile. Don't
use too strict settings because these are also applied to system
accounts. This can easily break your system.
[1]
http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-users-groups-private-groups.html
Hope this helps,
Florian Philipp
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]
next prev parent reply other threads:[~2010-03-25 21:44 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-25 8:26 [gentoo-user] default user permissions Hinko Kocevar
2010-03-25 8:50 ` Alan McKinnon
2010-03-25 21:43 ` Florian Philipp [this message]
2010-03-26 7:19 ` Hinko Kocevar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BABD908.8050007@f_philipp.fastmail.net \
--to=lists@f_philipp.fastmail.net \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox