[NCLUG] Why one group per user and SGID home dirs
Matt Taggart
matt at lackof.org
Wed Feb 21 09:55:01 MST 2001
Charles Clarke writes...
> If they want files in their home directory to be confidential, then
> their home directories shouldn't be readable or executable by anyone.
> So, how is this better than a group 'users', a group 'project', home
> directories with 700(or group 'users' and 2700), project directory with
> 2770 and umasks of 002?
With a setgid $HOME and all files/dirs owned by the user's private group then
each user can do that and still keep their umask open so things in /project
work right. If they were all in a "users" group then a umask of 002 would mean
new files in their $HOME would have "users" group write access. They *might*
be "protected" by the fact that the user has locked down the directory they're
in but I think that's a bad policy. Does this make sense?
> You could even put both of them in the group
> 'project' and not even have them in the group 'users'.
Well their $HOME's have to have *some* group.
--
Matt Taggart
matt at lackof.org
More information about the NCLUG
mailing list