Re: [gentoo-user] umask 002 in /etc/profile
On Wed, Apr 1, 2009 at 12:31 PM, Steven Lembark lemb...@wrkhors.com wrote: That was the idea, RH did it that way a dozen years ago for exactly the reason you mention: dir mods of 02770 make it easy to share files but require 002 umask. Fix was to set the per-user group, allowing private dir's (largely $HOME) to have tighter mods with files below them group readable by a single-user group. Hey, I use 2770 for directories too, but I notice there's one problem with that setup. If a user moves or copies a directory to a share that with 2770 mods, the files under moved directory retain their old group. Which is technically correct: small, tightly managed shares (I'm thinking programmers and code) probably need user-intervention for keeping permissions in check. But I'm doing a bunch of really large data shares on the order of several thousand pictures, sounds, clips, etc that are meant to have essentially free-for-all permissions, and having to manually have all users change the group of copied/moved files to the shared group wasn't acceptable. So I did a workaround for it so that files under my shares are correctly group-owned after default copy/move operations. The workaround I did? The real share is under /store, but the shares being directly accessed by the users are actually samba exports which force the user and group permissions to be correct for sharing via force user mask and friends. Unfortunately, this workaround doesn't help with a shared winedrive (I figure wine does weird things with opening files multiple times or something, which makes sense, it's a bunch of programs/libraries). What does work though, is to create a shared winedrive under an NTFS partition and to mount that using the users group. I'm not too amenable to creating a shared NTFS drive for everything else though! It's ext3 for me. Does that sound like an overly roundabout way to do things? My smbd's system use doesn't bother me. The there must be a better way to do it voice at the back of my head sometimes does, though.
Re: [gentoo-user] umask 002 in /etc/profile
On Wed, Apr 1, 2009 at 12:31 PM, Steven Lembark lemb...@wrkhors.com wrote: The scheme works rather nicely in nearly every situation (POSIX ACL's play hell with the scheme, but, then, they are supposed to). That being said, is there anyone who swears by ACLs here? I've never tried them on (except in a couple of classroom exercises years ago), so I don't know if they're any joy. Would they allow me to force all files under a directory, for instance, to be something like g+rw and at the same time be enrolled in a shared group?
Re: [gentoo-user] umask 002 in /etc/profile
On Wednesday 01 April 2009 16:55:31 Mark David Dumlao wrote: On Wed, Apr 1, 2009 at 12:31 PM, Steven Lembark lemb...@wrkhors.com wrote: That was the idea, RH did it that way a dozen years ago for exactly the reason you mention: dir mods of 02770 make it easy to share files but require 002 umask. Fix was to set the per-user group, allowing private dir's (largely $HOME) to have tighter mods with files below them group readable by a single-user group. Hey, I use 2770 for directories too, but I notice there's one problem with that setup. If a user moves or copies a directory to a share that with 2770 mods, the files under moved directory retain their old group. Which is technically correct: small, tightly managed shares (I'm thinking programmers and code) probably need user-intervention for keeping permissions in check. But I'm doing a bunch of really large data shares on the order of several thousand pictures, sounds, clips, etc that are meant to have essentially free-for-all permissions, and having to manually have all users change the group of copied/moved files to the shared group wasn't acceptable. So I did a workaround for it so that files under my shares are correctly group-owned after default copy/move operations. Wow. That's convulted. Simply setgid on the top-most directory that stuff is copied into, and all files and dirs created in it are owned by the same group that owns the top directory: chmod g+s /path/to/dest/dir/ None of that tedious mucking about that you resorted to. -- alan dot mckinnon at gmail dot com
Re: [gentoo-user] umask 002 in /etc/profile
On Wed, 1 Apr 2009 23:01:15 +0800, Mark David Dumlao wrote: That being said, is there anyone who swears by ACLs here? I've never tried them on (except in a couple of classroom exercises years ago), so I don't know if they're any joy. Would they allow me to force all files under a directory, for instance, to be something like g+rw and at the same time be enrolled in a shared group? You can use ACLs to give users of a group full read/write access to all files in a directory. -- Neil Bothwick Half of being smart is knowing what you're dumb at. signature.asc Description: PGP signature
Re: [gentoo-user] umask 002 in /etc/profile
Mark David Dumlao madum...@gmail.com wrote: On Wed, Apr 1, 2009 at 12:31 PM, Steven Lembark lemb...@wrkhors.com wrote: The scheme works rather nicely in nearly every situation (POSIX ACL's play hell with the scheme, but, then, they are supposed to). That being said, is there anyone who swears by ACLs here? I've never There is nothing like POSIX ACLs. The related standard proposal was withdrawn in 1999. The only current standard that mentions ACLs is NFSv4 and this defines NTFS/ZFS ACLs. Jörg -- EMail:jo...@schily.isdn.cs.tu-berlin.de (home) Jörg Schilling D-13353 Berlin j...@cs.tu-berlin.de(uni) joerg.schill...@fokus.fraunhofer.de (work) Blog: http://schily.blogspot.com/ URL: http://cdrecord.berlios.de/private/ ftp://ftp.berlios.de/pub/schily
Re: [gentoo-user] umask 002 in /etc/profile
On Wednesday 01 April 2009 17:01:15 Mark David Dumlao wrote: On Wed, Apr 1, 2009 at 12:31 PM, Steven Lembark lemb...@wrkhors.com wrote: The scheme works rather nicely in nearly every situation (POSIX ACL's play hell with the scheme, but, then, they are supposed to). That being said, is there anyone who swears by ACLs here? I've never tried them on (except in a couple of classroom exercises years ago), so I don't know if they're any joy. Would they allow me to force all files under a directory, for instance, to be something like g+rw and at the same time be enrolled in a shared group? ACLs have limited use, but when you need them, you really need them. Which is a good thing, as you are liable to forget you applied them, and getting them to display is a PITA. The only real-world cases I have personally ever seen that do require ACLs are: 1. A specific user does not own a file, and is not a member of the group that owns it. He does need write access to it though, but must not have the full rights of the group. An ACL just for that user solves this. 2. You need two groups to have access to the same thing. Such as, the payroll file is owned by Bill and accessible by group accountants and group payroll- clerks. You could make a payroll group and add the clerks and accountants to it, but that gets very out of hand very very quick (number of groups explode). If this is the only case you have like this, an ACL lets you simulate a second group owner 3. A shared directory where several people read and write files. Consistent group ownership of the files is easy - chmod g+s /directory/, but it's not so easy to ensure that g=w is always set. You could insist that everyone has a umask 700, but that's insane. You could run chown -R in a script every hour, but that's stupid. An ACL can specify a umask just for that one directory. In every other case I had to be very careful I wasn't walking into 3 year old with a hammer syndrome. Those three cases, applied with common sense, and kept to a minimum, can make your life easier. Use them too often or too widely, and you will certainly end up with an unmanageable complicated mess. -- alan dot mckinnon at gmail dot com
Re: [gentoo-user] umask 002 in /etc/profile
On Wed, Apr 1, 2009 at 11:03 PM, Alan McKinnon alan.mckin...@gmail.com wrote: On Wednesday 01 April 2009 16:55:31 Mark David Dumlao wrote: On Wed, Apr 1, 2009 at 12:31 PM, Steven Lembark lemb...@wrkhors.com wrote: That was the idea, RH did it that way a dozen years ago for exactly the reason you mention: dir mods of 02770 make it easy to share files but require 002 umask. Fix was to set the per-user group, allowing private dir's (largely $HOME) to have tighter mods with files below them group readable by a single-user group. Hey, I use 2770 for directories too, but I notice there's one problem with that setup. If a user moves or copies a directory to a share that with 2770 mods, the files under moved directory retain their old group. Which is technically correct: small, tightly managed shares (I'm thinking programmers and code) probably need user-intervention for keeping permissions in check. But I'm doing a bunch of really large data shares on the order of several thousand pictures, sounds, clips, etc that are meant to have essentially free-for-all permissions, and having to manually have all users change the group of copied/moved files to the shared group wasn't acceptable. So I did a workaround for it so that files under my shares are correctly group-owned after default copy/move operations. Wow. That's convulted. Simply setgid on the top-most directory that stuff is copied into, and all files and dirs created in it are owned by the same group that owns the top directory: chmod g+s /path/to/dest/dir/ Nope, that doesn't do at all. Try copying/moving a directory with files in it, and the files inside won't have the correct group. Their group will always belong to the group of the original owner, not the group of the shared directory.
[gentoo-user] umask 002 in /etc/profile
You know, I was thinking a bit, What with usergroups being the default behavior, do you think it's quite reasonable to use 002 as a default umask? Most group-sharing use-cases I've encountered have people that are sharing groups share files as read-write anyways, and by default, users have their own private group which nobody else is a member of; i.e. g+rw still won't allow others to write them.
Re: [gentoo-user] umask 002 in /etc/profile
What with usergroups being the default behavior, do you think it's quite reasonable to use 002 as a default umask? Most group-sharing use-cases I've encountered have people that are sharing groups share files as read-write anyways, and by default, users have their own private group which nobody else is a member of; i.e. g+rw still won't allow others to write them. That was the idea, RH did it that way a dozen years ago for exactly the reason you mention: dir mods of 02770 make it easy to share files but require 002 umask. Fix was to set the per-user group, allowing private dir's (largely $HOME) to have tighter mods with files below them group readable by a single-user group. The scheme works rather nicely in nearly every situation (POSIX ACL's play hell with the scheme, but, then, they are supposed to). enjoi -- Steven Lembark85-09 90th St. Workhorse Computing Woodhaven, NY, 11421 lemb...@wrkhors.com +1 888 359 3508
Re: [gentoo-user] umask 002 in /etc/profile
On Wednesday 01 April 2009 04:31:03 Mark David Dumlao wrote: You know, I was thinking a bit, What with usergroups being the default behavior, do you think it's quite reasonable to use 002 as a default umask? Most group-sharing use-cases I've encountered have people that are sharing groups share files as read-write anyways, and by default, users have their own private group which nobody else is a member of; i.e. g+rw still won't allow others to write them. For the average user, this is quite fine. -- alan dot mckinnon at gmail dot com