On Fri, Feb 11, 2000 at 07:15:15PM -0500, John Dalbec wrote: > I just noticed that my /home partition has the setgid permission bit. > Is this normal for Debian? Security problem? Hacked system? > TIA, > John
its not a security problem, though I am not entirely sure of the point.. here is what it does: on *BSD systems whenever a file is created it's group is set to the group that owns the parent directory, on SysV like systems (which linux is more similar) the group of a newly created file is always that of the creating user's primary group (in /etc/passwd every user has a numeric User ID (UID) and a numeric Group ID (GID), the GID corrosponds to a group in /etc/group) what the setgid bit on a directory does in linux (and possibly other SysV systems) is revert the file creation behavior to BSD, now files created under /home will always have the group set to that of /home (which is staff i think) now by default debian uses the `user private group' scheme when creating users, this means that when a user is created a new group with the same name and numeric ID is created as the users primary group. so when i created by account `eb' it was created as uid 1000 with primary group being gid 1000 (which is a group called `eb' with no members) and my home directory was created with its owner and group set to eb.eb and the setgid bit set. the point of that is so you can have a umask of 002 without giving everyone in your group write permission to everything (since your primary group has only you as a member) then when you create a new directory you want to share with others you can change its group to one that does have other users as members, the setgid bit ensures that files you create thier get the shared group instead of your private group. personally I prefer to remove the setgid bit from /home and change its group to root and its permissions to 755 (they are default to group writable) I also don't usually keep the setgid bit on the home directories since its really not needed, its only needed when a user wants to have a directory and its contents always have different group membership then thier primary group, in that case they can set the setgid bit themself IMO. (I also think the 002 umask is gross, 027 seems more logical to me.. (with the main home directory group set to `users' which all shell accounts are a member of, and a mode of 710) YMMV of course.) -- Ethan Benson
