On Thursday 03 July 2008, Florian Philipp wrote: > Hi list! > > I'm a bit dissatisfied with the way umask and filesystem permissions > work and I'd like to know if a) this is due to misunderstanding on my > part and/or b) there is a clean workaround I'm unaware of. > > Let's say I have a system with various users working on some sensible > data. Therefore I have to set up various security policies regarding > file permissions and so forth. > > For example every $HOME-directory should be only readable to the user > himself (e.g. for user phil_fl: chown phil_fl:phil:fl; umask 0077 or > 0007). > > Then there might be a common folder for all users in a specific group > as a simple way of sharing files. These shall be accessible by every > user in the group but by none else, so for the user phil_fl and the > group users: chown phil_fl:users; umask 0007. > > As we see, the umask itself isn't the problem (in this special case) > but the group is it, however, there might be cases in which need to > change both for special folders. How do I do this without needing any > interaction from the users?
umask does nothing for you here, it is simply a default starting point for the permissions of new files and directories and the user is completely free to change it to anything they feel like. Yes, this is by design. Yes, this is a very good thing :-) You want to set the setgid bit on the containing directory and chgrp that directory to the group involved. A bit of googling will help you further, if you get stuck or have no idea what I could possibly be on about, post back and I'll post the full story. It's quite involved and if it were code, it would be a heavily nested if clause -- Alan McKinnon alan dot mckinnon at gmail dot com -- gentoo-user@lists.gentoo.org mailing list
