On Tue, Dec 26, 2000 at 12:38:28PM +0200, Eray Ozkural (exa) wrote: > I always thought it was a paranoid kind of security "feature" > in Debian. I might be wrong of course. > > How does giving every user his own group makes it easier for > him to share files without system administrator's intervention? > I couldn't guite get it, sorry I just woke up but I simply > don't understand it. A small example?
Sure. Let's say you have a pair of users, Jose and HoseB, each with home directories in /home, with a single-user group each. They have some confidential files which they keep in their home directories and want to hide from each other. They also work on a project together, in /project. They have another group, which they both belong to, and all the files in /project use that GID. There are other users on the system who are not working on the project and who should not be able to look at /project. Jose and HoseB can set their umask to allow group read/write by default. When they write to their home directories, the files belong to their individual user groups, so nobody else can read them. When they write in /project, the files belong to the project group, so they can both read them. And nobody except Jose and HoseB can read the files in /project either, because they're not world read/writable. Now, imagine if Jose and HoseB shared a 'users' group, which their home directories used, as well as the project group. When they write to their home directories, their files end up group read/writeable to all users! Or if they set their umask to allow user read/write only, then they end up with files in /project which the other person can't read. They have to remember to fix file permissions all the time. This is a big nuisance. I spent months working on a project with a shared directory without individual user groups. Worse yet, you can end up with a CVS repository full of files with user-only permissions (using a local CVS repositor, rather than remote). Of course this is not an issue if (a) you never need to share files with a subset of users (use world read/write), or (b) you never need to share files at all (user read/write only). > It populates the groups? I want only meaningful groups there. Per-user groups are very meaningful, and are a good demonstration of why Debian is a superior OS to many others. Regards, Hamish -- Hamish Moffatt VK3SB <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
