-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi,
Am Mo den 10. Mai 2010 um 20:35 schrieb Aaron Toponce: > > See the case the user wants another person in his own group to share > > files. Then he might set the files readable for his group only but not > > for world. So the other user can read this data. But he cannot write it > > as it might be intended. > > > > Setting the umask to 002 let the other user _edit_ all files the user > > did create in the past with that umask factual giving away most of his > > files. > > The point of UPG is to not put users you don't trust in your private > group. That's why it's called "private". :) You can never trust anybody for giving him rights to _all_ of your files. So this assuming is never true and a user will not have any benefit of this group if the umask is 002! > If you don't trust users in your UPG, then the administrator should > setup a different group, and put the necessary users in that group. Give me one case where this is true. If there is a group for sharing purpose the users will use it -- and will lower there security down to nothing. Setting a default umask of 002 is highly negligent! > I'm all for increasing security, but it always comes at a cost. Thats true. But setting the umask to 002 will lower them for no benefit. > In this case, the convenience of setting up group collaboration > directories becomes a pain to administer, as the group write bit is > never set, and cron jobs, profile-specific umask values, or FACLs are > used instead, adding to the complexity of the system. Well, all cases I know about where collaboration was setted up, the person who did was knowing exactly what he did. And that is the way it should. Don't let users do something if they do not know what consequences it will have -- specialize in security! The crazy idea of setting the umask to 002 per default will end in many, many systems where the users have a low as nothing security for they important files only to serve some few use cases where the persons normally know how to get rid of anyway. Regards Klaus - -- Klaus Ethgen http://www.ethgen.de/ pub 2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <kl...@ethgen.de> Fingerprint: D7 67 71 C4 99 A6 D4 FE EA 40 30 57 3C 88 26 2B -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEVAwUBS+iMqZ+OKpjRpO3lAQqG3gf+M2O3qx+FFXgOT9V7VH+nx2Hcs5u1w2k9 Bk7ALBwQhZJKJV7oioyDx7GCBXnp/R2cpyyIsq8/dtT8I2+sCIuR5K6r18DRgGkB At8Z6u0HEl/8Pl/lwnBaBhgr18iD8oUN8WXvIiS/La4n562gQfqG2Bw008QycEoz ywWQzlOGahdfA9RA+luY3t+w6fT0+R4kU3za/C5tF6TY1pNtyyywvMrsf6sQGjES JevSyP3FRix7scvSxtg4F/+9RBX8ei8bKe4gg13f8Em1i3p7CXbko+GfFDq0s3bs 5IxMUxN1LIXjZMaLyYwfeGasFjJlyZAb0JDY47xy9oLzQJBw8/k9xQ== =8V8t -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100510224601.gd19...@ikki.ethgen.de
