[ale] User Private Group -- what are the benefits?
scott mcbrien
smcbrien at gmail.com
Mon Jun 4 10:58:36 EDT 2012
On your traditional *nix systems home directories are owned by some
generic group like staff or users which is given r-x permissions by
default. Also the default umask for users tends to be 022, so when
users create files around the system, again they're owned by staff or
users and are accessible to every other user. Now at first glance
this isn't that different than how Linux handles this. I mean, on
Linux we use a less restrictive umask, 002, by default but because of
UPG, all other users are covered under the 'others' permissions. But
the fact that we're using UPG is what allows for the application of
the less restrictive umask.
Where you see gains from UPG and the resulting less restrictive
default umask is when you're working with shared groups. Lets say you
have the 'web' group who maintains your pages in
/var/www/html/someproject/ In a traditional *nix, you'd add all your
users to web, but when they create files in /var/www/html/someproject
they look like this:
-rw-r--r-- fred users freds_web_file
so maybe you fix the ownership issue with SGID (yea!) or changing
Fred's primary group to web (boo). Now he creates files that look
like:
-rw-r--r-- fred web freds_web_file
Other people in the web group don't have write access without Fred
doing a chmod, or you doing a cron-job or some other gross hack to
make sure perms get set right.
However, with UPG, when Fred initially creates files:
-rw-rw-r-- fred fred freds_web_file
Thanks to the less restrictive umask, the group permissions also
include write. Because fred is giving that to his private group that
no one else belongs to, it's not a big deal. But on this web docroot
directory, when you add the SGID permission, as though by magic we
have happiness. Now when Fred creates files (that automatically are
chgrp'ed to web):
-rw-rw-r-- fred web freds_web_file
Other people who belong to the web group can make changes to Fred's
files without Fred (or you) needing to re-permission files all the
time. Add to that the fact that SGID is inheritable, and now if the
web group decides they need sub-dir structure or whatnot, they can
create what they need and you don't have to do jack.
-Scott
On Mon, Jun 4, 2012 at 10:44 AM, James Sumners <james.sumners at gmail.com> wrote:
> In almost every Linux distribution I have used, Arch Linux being the
> only exception I can think of off the top of my head, when a new user
> added, then a group of the same name is created as that user's primary
> group (if one isn't specified). I've always just accepted this as "the
> way it's done," and never researched it. We've recently moved from
> Solaris to RHEL as the OS for our database server. Our DBA has
> inquired about why user's have their own group on the RHEL system when
> they did not on the Solaris system. I don't have an answer other than
> "that's just the way it is" and I don't like that.
>
> I've been doing some searching for documentation on this, but haven't
> been able to find anything. So, do any of you guys have some insights
> as to why this is (typically) done on Linux systems?
>
> --
> James Sumners
> http://james.roomfullofmirrors.com/
>
> "All governments suffer a recurring problem: Power attracts
> pathological personalities. It is not that power corrupts but that it
> is magnetic to the corruptible. Such people have a tendency to become
> drunk on violence, a condition to which they are quickly addicted."
>
> Missionaria Protectiva, Text QIV (decto)
> CH:D 59
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
More information about the Ale
mailing list