FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 10-18-2008, 04:55 PM
Les Mikesell
 
Default private group administration

Colin Walters wrote:



<mw_triad@users.sourceforge.net> wrote:

If 'chmod g+w file;chgrp foo file' is too much work then there should be
a command that can do both.

Groups are broken. Use access control lists: "man setfacl"

ACLs inherit the brokenness of groups, e.g. it is not possible to enforce that
everything within a certain directory is owned by everyone of a group,


The point is with ACLs you don't need the files to have a specific
ownership (user/group) as long as they have the right ACLs for access.
A good way to do this is to avoid groups entirely and just add the
users you want individually.


This is unmanageable as the people in groups change. When you are
designing operating systems you should understand that underlying data
and work processes may need to survive and be usable for decades as the
hardware and people change. I don't think anyone working with fedora
gets that.


--
Les Mikesell
lesmikesell@gmail.com

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 10-18-2008, 06:21 PM
Robert Locke
 
Default private group administration

On Sat, 2008-10-18 at 12:25 -0400, Chuck Anderson wrote:
> On Sat, Oct 18, 2008 at 10:53:05AM -0400, seth vidal wrote:
> > On Sat, 2008-10-18 at 10:40 -0400, Colin Walters wrote:
> > > 2008/10/18 Till Maas <opensource@till.name>:
> > > > On Sat October 18 2008, Colin Walters wrote:
> > > >> On Fri, Oct 17, 2008 at 8:12 PM, Matthew Woehlke
> > > >>
> > > >> <mw_triad@users.sourceforge.net> wrote:
> > > >> > If 'chmod g+w file;chgrp foo file' is too much work then there should be
> > > >> > a command that can do both.
> > > >>
> > > >> Groups are broken. Use access control lists: "man setfacl"
> > > >
> > > > ACLs inherit the brokenness of groups, e.g. it is not possible to enforce that
> > > > everything within a certain directory is owned by everyone of a group,
> > >
> > > The point is with ACLs you don't need the files to have a specific
> > > ownership (user/group) as long as they have the right ACLs for access.
> > > A good way to do this is to avoid groups entirely and just add the
> > > users you want individually.
> >
> > If there are enough people working on a project this does not scale.
>
> Right, with groups you can have files inherit the group from the
> directory they are in. Is there any inheritance with ACLs?
>

See 'setfacl d:' which can be used to set a "default" ACL on a directory
so that all "newly created files" will inherit it....

--Rob

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 10-18-2008, 08:32 PM
seth vidal
 
Default private group administration

On Sat, 2008-10-18 at 12:25 -0400, Chuck Anderson wrote:
> On Sat, Oct 18, 2008 at 10:53:05AM -0400, seth vidal wrote:
> > On Sat, 2008-10-18 at 10:40 -0400, Colin Walters wrote:
> > > 2008/10/18 Till Maas <opensource@till.name>:
> > > > On Sat October 18 2008, Colin Walters wrote:
> > > >> On Fri, Oct 17, 2008 at 8:12 PM, Matthew Woehlke
> > > >>
> > > >> <mw_triad@users.sourceforge.net> wrote:
> > > >> > If 'chmod g+w file;chgrp foo file' is too much work then there should be
> > > >> > a command that can do both.
> > > >>
> > > >> Groups are broken. Use access control lists: "man setfacl"
> > > >
> > > > ACLs inherit the brokenness of groups, e.g. it is not possible to enforce that
> > > > everything within a certain directory is owned by everyone of a group,
> > >
> > > The point is with ACLs you don't need the files to have a specific
> > > ownership (user/group) as long as they have the right ACLs for access.
> > > A good way to do this is to avoid groups entirely and just add the
> > > users you want individually.
> >
> > If there are enough people working on a project this does not scale.
>
> Right, with groups you can have files inherit the group from the
> directory they are in. Is there any inheritance with ACLs?

It's not about inheritance. It is about the number of individuals with
permissions before things start to become cumbersome to manage.

-sv


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 10-19-2008, 09:11 AM
Lutz Lange
 
Default private group administration

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Les Mikesell schrieb:
> Colin Walters wrote:
>>
>>>> <mw_triad@users.sourceforge.net> wrote:
>>>>> If 'chmod g+w file;chgrp foo file' is too much work then there
>>>>> should be
>>>>> a command that can do both.
>>>> Groups are broken. Use access control lists: "man setfacl"
>>> ACLs inherit the brokenness of groups, e.g. it is not possible to
>>> enforce that
>>> everything within a certain directory is owned by everyone of a group,
>>
>> The point is with ACLs you don't need the files to have a specific
>> ownership (user/group) as long as they have the right ACLs for access.
>> A good way to do this is to avoid groups entirely and just add the
>> users you want individually.
>
> This is unmanageable as the people in groups change. When you are
> designing operating systems you should understand that underlying data
> and work processes may need to survive and be usable for decades as the
> hardware and people change. I don't think anyone working with fedora
> gets that.
>

This is actually what students tell me as well. Using ACLs file
permissions are quite hard to manage over time. ACLs tend to stay on fs
entries when users get deleted. It is an extra burden on the admin to
search and remove them.

We should find a way to make it easier to maintain ACLs - especially in
case users are removed from the system. I'm sure a clean up script could
be devised for the case of user removal. This would ease the process.

Or does such a script/program exist already?

Cheers
Lutz

- --
Lutz Lange
GLS Instructor
Red Hat GmbH
Hauptstätterstrasse 58
D-70178 Stuttgart - Germany

Tel. +49 711 96 437 570
Mobile +49 172 75 285 17
Fax +49 711 96 437 111
Email: llange@redhat.com
__________________________________________________ __________________
Reg. Adresse: Red Hat GmbH, Otto-Hahn-Strasse 20, 85609 Dornach bei Muenchen
Handelsregister: Amtsgericht Muenchen HRB 153243
Geschaeftsfuehrer: Brendan Lane, Charlie Peters, Michael Cunningham,
Werner Knoblich
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD4DBQFI+vms15TuH1mPaRURAn7zAKCBwHqPprQOGJWc2xJRJh rIqMqLuwCWMylQ
19l0a/9fYRp8bFBpobbR+A==
=F5JM
-----END PGP SIGNATURE-----

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 10-19-2008, 11:17 AM
Till Maas
 
Default private group administration

On Sat October 18 2008, Robert Locke wrote:
> On Sat, 2008-10-18 at 12:25 -0400, Chuck Anderson wrote:

> > Right, with groups you can have files inherit the group from the
> > directory they are in. Is there any inheritance with ACLs?
>
> See 'setfacl d:' which can be used to set a "default" ACL on a directory
> so that all "newly created files" will inherit it....

But this does not work satisfactory all the times. Given you have a directory
on one system that everybody within a certain groups should be able to access
completely. Then you scp a file that is not group writable (e.g. from a cd)
to it. Which default ACL for a group will makes the file writeable or
chmodable for everyone from this group? Afaik there is no such ACL. The best
approaches except giving everybody chmod/chown acces via sudo would be to
mount vfat filesystem into the directory, because it accepts a gid/uid mount
option to enforce a certain gid for all contents, or to use a fuse wrapper
filesystem that manages the permissions, but I am not sure, whether this is
possible or does already exist.

Regards,
Till

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 10-20-2008, 02:16 AM
Robert Locke
 
Default private group administration

On Sun, 2008-10-19 at 13:17 +0200, Till Maas wrote:
> On Sat October 18 2008, Robert Locke wrote:
> > On Sat, 2008-10-18 at 12:25 -0400, Chuck Anderson wrote:
>
> > > Right, with groups you can have files inherit the group from the
> > > directory they are in. Is there any inheritance with ACLs?
> >
> > See 'setfacl d:' which can be used to set a "default" ACL on a directory
> > so that all "newly created files" will inherit it....
>
> But this does not work satisfactory all the times. Given you have a directory
> on one system that everybody within a certain groups should be able to access
> completely. Then you scp a file that is not group writable (e.g. from a cd)
> to it. Which default ACL for a group will makes the file writeable or
> chmodable for everyone from this group? Afaik there is no such ACL. The best
> approaches except giving everybody chmod/chown acces via sudo would be to
> mount vfat filesystem into the directory, because it accepts a gid/uid mount
> option to enforce a certain gid for all contents, or to use a fuse wrapper
> filesystem that manages the permissions, but I am not sure, whether this is
> possible or does already exist.

Little confused on your scenario.

A newly created file will get the ownership of the process creating it
(user/primary group), unless the directory is SGID then it will get the
group of the directory. The permissions assigned will be based on the
creating programs desire minus umask. The ACLs assigned will be based
on the "Default ACLs" of the directory (if any were set). But this only
applies to "newly" created files, so let's talk about copying....

If you use "cp -a" or "cp -p" or "mv", these endeavor to "preserve" the
permissions from whence the file came from, and what I described above
does not apply. A simple cp without arguments would be creating "new"
files, and the above would apply.

Does that clarify why you are not getting the Default ACL sometimes?

--Rob

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 04:30 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org