Re: [gentoo-user] OT: Filesystem permissions
On Friday 04 July 2008, Florian Philipp wrote: Hmm, good point. I will monitor the situation. If there are any occurrences of wrong permissions, I think it will be sufficient to make an if-clause before setting the umask but maybe it proves unneccessary. I think what you really want in this case is to set the umask to 0007 for human users and leave it as is for system users. You could either check for UID 1000 in /etc/profile, or explicitly add the umask setting to each existing user's .bashrc. Also add it to /etc/skel to enable it for any new users in the future. Which is starting to get more complex than a simple acl :-) Experience has taught me that these general principles apply to Unix permissions pretty much always: - the normal /user/group/rwx scheme works just fine 99% of the time - 1% of the time you have an unusual need that the above doesn't cater for, but a simple unobtrusive acl does. These cases are usually obvious. - if you are using acl's a lot, there's probably something wrong with your permission scheme -- Alan McKinnon alan dot mckinnon at gmail dot com -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OT: Filesystem permissions
Am Donnerstag, 3. Juli 2008 schrieb Florian Philipp: Then there might be a common folder for all users in a specific group as a simple way of sharing files. These shall be accessible by every user in the group but by none else, so for the user phil_fl and the group users: chown phil_fl:users; umask 0007. Forget umask, you have to adjust the permissions of that _directory_ accordingly: chmod 770 groupdir and, as others already wrote, eventually set the SGID bit so that all files within are owned by the group you want. You can later add permissions for other users or groups by using ACLs, see man pages of setfacl and getfacl. HTH... Dirk signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] OT: Filesystem permissions
Am Freitag, 4. Juli 2008 schrieb Dirk Heinrichs: You can later add permissions for other users or groups by using ACLs, see man pages of setfacl and getfacl. ...given that you have compiled your filesystem modules with ACL support. Bye... Dirk signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] OT: Filesystem permissions
On Thursday 03 July 2008, Florian Philipp wrote: You want to set the setgid bit on the containing directory and chgrp that directory to the group involved. Argh, of course! I even read this stuff up this morning but I overlooked the paragraph! In all likely-hood you will want to set the write bit for groups on as well (for the setup to be truly useful as a group share). For that you will need posix acls, there's no way to do it with just permissions and defaults. -- Alan McKinnon alan dot mckinnon at gmail dot com -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OT: Filesystem permissions
On Fri, 4 Jul 2008 16:24:52 +0200 Alan McKinnon [EMAIL PROTECTED] wrote: On Thursday 03 July 2008, Florian Philipp wrote: You want to set the setgid bit on the containing directory and chgrp that directory to the group involved. Argh, of course! I even read this stuff up this morning but I overlooked the paragraph! In all likely-hood you will want to set the write bit for groups on as well (for the setup to be truly useful as a group share). For that you will need posix acls, there's no way to do it with just permissions and defaults. I've just set the umask 0007 in /etc/profile. With the rule that every user has his own primary group (as it is default), this is sufficient for my needs. I haven't tested every application but at least konqueror seems to respect this setting. If I can avoid the usage of acls with a few global settings, I'm willing to do so. The prospect of having two levels of filesystem permissions, each only visible with different, dedicated tools, cause me headaches. ;) signature.asc Description: PGP signature
Re: [gentoo-user] OT: Filesystem permissions
On Friday 04 July 2008, Florian Philipp wrote: I've just set the umask 0007 in /etc/profile. With the rule that every user has his own primary group (as it is default), this is sufficient for my needs. Hmmm. That gives permissions: rw-rw on every single new file created by every single user by default. If you are happy with that, so be it. I would not be happy with that :-) -- Alan McKinnon alan dot mckinnon at gmail dot com -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OT: Filesystem permissions
On Fri, 4 Jul 2008 18:35:58 +0200 Alan McKinnon [EMAIL PROTECTED] wrote: On Friday 04 July 2008, Florian Philipp wrote: I've just set the umask 0007 in /etc/profile. With the rule that every user has his own primary group (as it is default), this is sufficient for my needs. Hmmm. That gives permissions: rw-rw on every single new file created by every single user by default. If you are happy with that, so be it. I would not be happy with that :-) Since every user has another primary group this doesn't cause problems. Only on folders with SETGID where the group is changed by design this umask causes other users to have write and read permissions and that's what I wanted in the first place. signature.asc Description: PGP signature
Re: [gentoo-user] OT: Filesystem permissions
Am Freitag, 4. Juli 2008 schrieb Florian Philipp: On Fri, 4 Jul 2008 18:35:58 +0200 Alan McKinnon [EMAIL PROTECTED] wrote: On Friday 04 July 2008, Florian Philipp wrote: I've just set the umask 0007 in /etc/profile. With the rule that every user has his own primary group (as it is default), this is sufficient for my needs. Hmmm. That gives permissions: rw-rw on every single new file created by every single user by default. If you are happy with that, so be it. I would not be happy with that :-) Since every user has another primary group this doesn't cause problems. Only on folders with SETGID where the group is changed by design this umask causes other users to have write and read permissions and that's what I wanted in the first place. And what about the packages you install/update as root? I'd bet that not all give the exact permissions when calling install. Bad idea. Bye... Dirk signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] OT: Filesystem permissions
On Fri, 4 Jul 2008 20:08:43 +0200 Dirk Heinrichs [EMAIL PROTECTED] wrote: Am Freitag, 4. Juli 2008 schrieb Florian Philipp: On Fri, 4 Jul 2008 18:35:58 +0200 Alan McKinnon [EMAIL PROTECTED] wrote: On Friday 04 July 2008, Florian Philipp wrote: I've just set the umask 0007 in /etc/profile. With the rule that every user has his own primary group (as it is default), this is sufficient for my needs. Hmmm. That gives permissions: rw-rw on every single new file created by every single user by default. If you are happy with that, so be it. I would not be happy with that :-) Since every user has another primary group this doesn't cause problems. Only on folders with SETGID where the group is changed by design this umask causes other users to have write and read permissions and that's what I wanted in the first place. And what about the packages you install/update as root? I'd bet that not all give the exact permissions when calling install. Bad idea. Bye... Dirk Hmm, good point. I will monitor the situation. If there are any occurrences of wrong permissions, I think it will be sufficient to make an if-clause before setting the umask but maybe it proves unneccessary. signature.asc Description: PGP signature
[gentoo-user] OT: Filesystem permissions
Hi list! I'm a bit dissatisfied with the way umask and filesystem permissions work and I'd like to know if a) this is due to misunderstanding on my part and/or b) there is a clean workaround I'm unaware of. Let's say I have a system with various users working on some sensible data. Therefore I have to set up various security policies regarding file permissions and so forth. For example every $HOME-directory should be only readable to the user himself (e.g. for user phil_fl: chown phil_fl:phil:fl; umask 0077 or 0007). Then there might be a common folder for all users in a specific group as a simple way of sharing files. These shall be accessible by every user in the group but by none else, so for the user phil_fl and the group users: chown phil_fl:users; umask 0007. As we see, the umask itself isn't the problem (in this special case) but the group is it, however, there might be cases in which need to change both for special folders. How do I do this without needing any interaction from the users? Thanks in advance! Florian Philipp signature.asc Description: PGP signature
Re: [gentoo-user] OT: Filesystem permissions
On Thursday 03 July 2008, Florian Philipp wrote: Hi list! I'm a bit dissatisfied with the way umask and filesystem permissions work and I'd like to know if a) this is due to misunderstanding on my part and/or b) there is a clean workaround I'm unaware of. Let's say I have a system with various users working on some sensible data. Therefore I have to set up various security policies regarding file permissions and so forth. For example every $HOME-directory should be only readable to the user himself (e.g. for user phil_fl: chown phil_fl:phil:fl; umask 0077 or 0007). Then there might be a common folder for all users in a specific group as a simple way of sharing files. These shall be accessible by every user in the group but by none else, so for the user phil_fl and the group users: chown phil_fl:users; umask 0007. As we see, the umask itself isn't the problem (in this special case) but the group is it, however, there might be cases in which need to change both for special folders. How do I do this without needing any interaction from the users? umask does nothing for you here, it is simply a default starting point for the permissions of new files and directories and the user is completely free to change it to anything they feel like. Yes, this is by design. Yes, this is a very good thing :-) You want to set the setgid bit on the containing directory and chgrp that directory to the group involved. A bit of googling will help you further, if you get stuck or have no idea what I could possibly be on about, post back and I'll post the full story. It's quite involved and if it were code, it would be a heavily nested if clause -- Alan McKinnon alan dot mckinnon at gmail dot com -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OT: Filesystem permissions
On Thu, 3 Jul 2008 17:52:29 +0200 Alan McKinnon [EMAIL PROTECTED] wrote: On Thursday 03 July 2008, Florian Philipp wrote: Hi list! I'm a bit dissatisfied with the way umask and filesystem permissions work and I'd like to know if a) this is due to misunderstanding on my part and/or b) there is a clean workaround I'm unaware of. Let's say I have a system with various users working on some sensible data. Therefore I have to set up various security policies regarding file permissions and so forth. For example every $HOME-directory should be only readable to the user himself (e.g. for user phil_fl: chown phil_fl:phil:fl; umask 0077 or 0007). Then there might be a common folder for all users in a specific group as a simple way of sharing files. These shall be accessible by every user in the group but by none else, so for the user phil_fl and the group users: chown phil_fl:users; umask 0007. As we see, the umask itself isn't the problem (in this special case) but the group is it, however, there might be cases in which need to change both for special folders. How do I do this without needing any interaction from the users? umask does nothing for you here, it is simply a default starting point for the permissions of new files and directories and the user is completely free to change it to anything they feel like. Yes, this is by design. Yes, this is a very good thing :-) You want to set the setgid bit on the containing directory and chgrp that directory to the group involved. Argh, of course! I even read this stuff up this morning but I overlooked the paragraph! Thanks! signature.asc Description: PGP signature
Re: [gentoo-user] OT: Filesystem permissions
On Thu, 3 Jul 2008 17:40:01 +0200 Florian Philipp [EMAIL PROTECTED] wrote: Hi list! I'm a bit dissatisfied with the way umask and filesystem permissions work and I'd like to know if a) this is due to misunderstanding on my part and/or b) there is a clean workaround I'm unaware of. Let's say I have a system with various users working on some sensible data. Therefore I have to set up various security policies regarding file permissions and so forth. For example every $HOME-directory should be only readable to the user himself (e.g. for user phil_fl: chown phil_fl:phil:fl; umask 0077 or 0007). Then there might be a common folder for all users in a specific group as a simple way of sharing files. These shall be accessible by every user in the group but by none else, so for the user phil_fl and the group users: chown phil_fl:users; umask 0007. As we see, the umask itself isn't the problem (in this special case) but the group is it, however, there might be cases in which need to change both for special folders. How do I do this without needing any interaction from the users? Thanks in advance! Florian Philipp AFAIK it was RedHat who introduced the so called User Private Groups scheme which is convenient exactly for situations like yours. Gentoo also uses that scheme by default. In short, instead of creating all user accounts as members of the group users, now for every user account useradd(8) creates a private group for the account in addition. Peter is created with main group Peter, Ann is created with main group Ann and so on. If you wanted Peter and Ann to share a common folder, you have to create a common group for them (e.g. project) and add each of them to that group. Then create a directory with owner root:project and the GID bit on. The GID bit makes the newly created files in the directory to be owned by the group project, instead by the group of the user creating the file. P.S. This schema may be convenient for some things but as usual it also has some disadvantages for others. I have asked here about one of the disadvantages (my personal point of view) when I discovered there was a new scheme: http://thread.gmane.org/gmane.linux.gentoo.user/190110 -- Best regards, Daniel -- gentoo-user@lists.gentoo.org mailing list
