[NCLUG] Why one group per user and SGID home dirs
Charles Clarke
clarke at clarkecomputer.com
Wed Feb 21 11:52:12 MST 2001
On Wed, 21 Feb 2001, Matt Taggart wrote:
> Charles Clarke writes...
>
> > If they want files in their home directory to be confidential, then
> > their home directories shouldn't be readable or executable by anyone.
> > So, how is this better than a group 'users', a group 'project', home
> > directories with 700(or group 'users' and 2700), project directory with
> > 2770 and umasks of 002?
>
> With a setgid $HOME and all files/dirs owned by the user's private group then
> each user can do that and still keep their umask open so things in /project
> work right. If they were all in a "users" group then a umask of 002 would mean
> new files in their $HOME would have "users" group write access. They *might*
> be "protected" by the fact that the user has locked down the directory they're
> in but I think that's a bad policy. Does this make sense?
My policy isn't that the user locked it down, but that it was locked down
already. They have to open it up and yes, I know that a little
knowledge(of chmod and permissions) is dangerous. I don't have a problem
with you not trusting them to know what they are doing if they open it up.
:)
>
> > You could even put both of them in the group
> > 'project' and not even have them in the group 'users'.
>
> Well their $HOME's have to have *some* group.
Yes, I was proposing that it have the group 'project'. And yes, I was
relying on it having permission 700. If they learn how to use chmod to
open it up, they can take responsibility for doing it.
>
> --
> Matt Taggart
> matt at lackof.org
>
--------------------------------------------------------------------------
Domain hosting from $15/month with error log analysis and link checking.
http://www.clarkecomputer.com/sig.html domains at clarkecomputer.com
More information about the NCLUG
mailing list