FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 12-31-2011, 11:54 AM
Reindl Harald
 
Default creating all users with one primary group?

Am 31.12.2011 13:29, schrieb Frantisek Hanzlik:
> Has anyone experience with situation, when all users on Fedora
> distro have same primary group (i.e. is not created extra group
> for every user?
>
> Namely I'm asking when all programs will be working without problems.

programs are not interested on this detail
applications have the needed permissions or not

and yes, it works using only one users-group or mix users
andgroups in any way you want, this is how it is desgined
to do and having eahc user in a own group in my opinion
is a dumb default

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 12-31-2011, 12:28 PM
Frantisek Hanzlik
 
Default creating all users with one primary group?

Reindl Harald napsal(a):
>
>
> Am 31.12.2011 13:29, schrieb Frantisek Hanzlik:
>> Has anyone experience with situation, when all users on Fedora
>> distro have same primary group (i.e. is not created extra group
>> for every user?
>>
>> Namely I'm asking when all programs will be working without problems.
>
> programs are not interested on this detail
> applications have the needed permissions or not
>
> and yes, it works using only one users-group or mix users
> andgroups in any way you want, this is how it is desgined
> to do and having eahc user in a own group in my opinion
> is a dumb default

I understand how permission works and that *most* apps should work
fine. But, are not any (perhaps system or desktop environment),
which depends e.g. "/etc/login.defs" defined "GID_MIN" variable?
Or have some GID boundaries hard-compiled (something as suexec has)?
Or when may be some SELINUX problems here?

Franta
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 12-31-2011, 12:31 PM
Reindl Harald
 
Default creating all users with one primary group?

Am 31.12.2011 14:28, schrieb Frantisek Hanzlik:
> Reindl Harald napsal(a):
>>
>>
>> Am 31.12.2011 13:29, schrieb Frantisek Hanzlik:
>>> Has anyone experience with situation, when all users on Fedora
>>> distro have same primary group (i.e. is not created extra group
>>> for every user?
>>>
>>> Namely I'm asking when all programs will be working without problems.
>>
>> programs are not interested on this detail
>> applications have the needed permissions or not
>>
>> and yes, it works using only one users-group or mix users
>> andgroups in any way you want, this is how it is desgined
>> to do and having eahc user in a own group in my opinion
>> is a dumb default
>
> I understand how permission works and that *most* apps should work
> fine. But, are not any (perhaps system or desktop environment),
> which depends e.g. "/etc/login.defs" defined "GID_MIN" variable?
> Or have some GID boundaries hard-compiled (something as suexec has)?
> Or when may be some SELINUX problems here?

what have "/etc/login.defs" to do with the fact that there is
simply no need to have a personal group for a user at all?



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 12-31-2011, 01:08 PM
Frantisek Hanzlik
 
Default creating all users with one primary group?

Reindl Harald napsal(a):
> Am 31.12.2011 14:28, schrieb Frantisek Hanzlik:
>> Reindl Harald napsal(a):
>>>
>>>
>>> Am 31.12.2011 13:29, schrieb Frantisek Hanzlik:
>>>> Has anyone experience with situation, when all users on Fedora
>>>> distro have same primary group (i.e. is not created extra group
>>>> for every user?
>>>>
>>>> Namely I'm asking when all programs will be working without problems.
>>>
>>> programs are not interested on this detail
>>> applications have the needed permissions or not
>>>
>>> and yes, it works using only one users-group or mix users
>>> andgroups in any way you want, this is how it is desgined
>>> to do and having eahc user in a own group in my opinion
>>> is a dumb default
>>
>> I understand how permission works and that *most* apps should work
>> fine. But, are not any (perhaps system or desktop environment),
>> which depends e.g. "/etc/login.defs" defined "GID_MIN" variable?
>> Or have some GID boundaries hard-compiled (something as suexec has)?
>> Or when may be some SELINUX problems here?
>
> what have "/etc/login.defs" to do with the fact that there is
> simply no need to have a personal group for a user at all?

Nothing, of course. I'm saying rather about value of "users" group - when
problem will not be in value "100"; when it is safely usable.
I'm sure when I use this common GID >=500 (>=1000 in F16+) then there will
not be any problem.
But what when using GID=100 (although this GID was historically used for
these purposes)? I'm not knowing when Fedora implement some own
restriction about these "normal users" UID/GID values.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 12-31-2011, 02:11 PM
Dave Ihnat
 
Default creating all users with one primary group?

On Sat, Dec 31, 2011 at 02:31:04PM +0100, Reindl Harald wrote:
> what have "/etc/login.defs" to do with the fact that there is
> simply no need to have a personal group for a user at all?

You're probably not thinking about multiple users on a relatively secure
system. I *think*, if I recall correctly, that AT&T System III & V put
everyone in the same group. This is a possible security breach, since any
executable/directory/file that might grant rights to that group would be
open to exploit by anyone in the group.

So, from a security point of view, it makes a lot more sense to assign each
user to their own group, and only let them in shared groups by deliberate
assignment. It doesn't cost anything in terms of resources or performance.

Cheers,
--
Dave Ihnat
dihnat@dminet.com
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 12-31-2011, 02:21 PM
Reindl Harald
 
Default creating all users with one primary group?

Am 31.12.2011 16:11, schrieb Dave Ihnat:
> On Sat, Dec 31, 2011 at 02:31:04PM +0100, Reindl Harald wrote:
>> what have "/etc/login.defs" to do with the fact that there is
>> simply no need to have a personal group for a user at all?
>
> You're probably not thinking about multiple users on a relatively secure
> system.

oh yes i consider

I *think*, if I recall correctly, that AT&T System III & V put
> everyone in the same group. This is a possible security breach, since any
> executable/directory/file that might grant rights to that group would be
> open to exploit by anyone in the group

yes and no

if i need that i do chmod 700 for folders and chmod 600 for files
no need to create a group for each user

> So, from a security point of view, it makes a lot more sense to assign each
> user to their own group, and only let them in shared groups by deliberate
> assignment. It doesn't cost anything in terms of resources or performance.

froma security point of view abvoe chmod's are making much more sense

and if you need finer restrictions you need ACL's where groups for each
user does not make sense at all - you need in this case groups for several
roles and assing matching ACL's

own groups for each user does not make sense at all

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 12-31-2011, 02:45 PM
Joel Rees
 
Default creating all users with one primary group?

On Sun, Jan 1, 2012 at 12:21 AM, Reindl Harald <h.reindl@thelounge.net> wrote:
>
>
> Am 31.12.2011 16:11, schrieb Dave Ihnat:
>> On Sat, Dec 31, 2011 at 02:31:04PM +0100, Reindl Harald wrote:
>>> what have "/etc/login.defs" to do with the fact that there is
>>> simply no need to have a personal group for a user at all?
>>
>> You're probably not thinking about multiple users on a relatively secure
>> system.
>
> oh yes i consider
>
> I *think*, if I recall correctly, that AT&T System III & V put
>> everyone in the same group. *This is a possible security breach, since any
>> executable/directory/file that might grant rights to that group would be
>> open to exploit by anyone in the group
>
> yes and no
>
> if i need that i do chmod 700 for folders and chmod 600 for files
> no need to create a group for each user
>
>> So, from a security point of view, it makes a lot more sense to assign each
>> user to their own group, and only let them in shared groups by deliberate
>> assignment. *It doesn't cost anything in terms of resources or performance.
>
> froma security point of view abvoe chmod's are making much more sense
>
> and if you need finer restrictions you need ACL's where groups for each
> user does not make sense at all - you need in this case groups for several
> roles and assing matching ACL's

In other words, you really, really like ACLs.

> own groups for each user does not make sense at all

You keep asserting that.

I find them quite useful, because slapping ACLs on everything requires
a lot of processor time and disk space to support, and you think your
programs that update those lists have all the corner cases, and they
don't.

It's a lot easier to define non-login users for certain activities and
then share those groups, and when you do that, it makes total sense to
basically have every user in his own primary group. That was the
traditional way to do things in Unix since way before ACLs were added
to any large distribution of Unix.

Having every login user in its own primary group also helps when you
want to do certain kinds of sandboxing using sudo.

You apparently don't like to do things that way.

--
Joel Rees
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 12-31-2011, 03:04 PM
Joel Rees
 
Default creating all users with one primary group?

On Sat, Dec 31, 2011 at 9:29 PM, Frantisek Hanzlik <franta@hanzlici.cz> wrote:
> Has anyone experience with situation, when all users on Fedora
> distro have same primary group (i.e. is not created extra group
> for every user?

It's common in some distributions.

(Mac OS X, 10.0 - 10.2 had a common "staff" group into which all login
users went. From 10.3, I think, they went with making a primary group
per user. Of course, that's BSD, no Linux.)

> Namely I'm asking when all programs will be working without problems.
> I want use for all users predefined group "users" (GID=100), which
> seems be intended for that situation; in "/etc/default/useradd" is
> this group defined.

I think that group has been used both ways, actually -- primary or
secondary group for login users. Diferent requirements do different
things there.

> I'm little confused from two things too:
>
> - according to useradd man page, USERGROUPS_ENAB variable in
> "/etc/login.defs" controls, when by default will be for users created
> their own primary group or not. Thus set "USERGROUPS_ENAB no" should
> disable this "feature". But in this file on Fedora distros
> (F14-F16) is weird comment
> "This enables userdel to remove user groups if no members exist"

According to some admin techniques, which are not universal. The
"user" series of user admin tools are by no means the only ways to
manage users.

> - "/etc/login.defs" defines variable "GID_MIN *500". In F16 are min
> UID/GID raised to 1000 and arrives two new variables
> SYS_UID_MIN * * 201
> SYS_UID_MAX * * 999

Which seems both sensible and weird to me.

Sensible because it's nice to have lots of headroom for inventing
system users, and weird because it wasn't so long since they added
GID_MIN and set it at 500, and made the associated move from masking
users out of the login dialog by their login shell to masking them out
by lack of password -- which looks to me like a vulnerability just
waiting to happen.

> Poses this that what GID=100 are still "normal user" GID and may be
> used as primary (and only) user group ID?

Probably something they forgot to change. On the other hand, if you
have a default user group, whether assigned primary or secondary, you
don't want to ever assign a login user the same uid number.

> Thanks, Franta

--
Joel Rees
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 12-31-2011, 03:04 PM
Joel Rees
 
Default creating all users with one primary group?

On Sat, Dec 31, 2011 at 9:29 PM, Frantisek Hanzlik <franta@hanzlici.cz> wrote:
> Has anyone experience with situation, when all users on Fedora
> distro have same primary group (i.e. is not created extra group
> for every user?

It's common in some distributions.

(Mac OS X, 10.0 - 10.2 had a common "staff" group into which all login
users went. From 10.3, I think, they went with making a primary group
per user. Of course, that's BSD, no Linux.)

> Namely I'm asking when all programs will be working without problems.
> I want use for all users predefined group "users" (GID=100), which
> seems be intended for that situation; in "/etc/default/useradd" is
> this group defined.

I think that group has been used both ways, actually -- primary or
secondary group for login users. Diferent requirements do different
things there.

> I'm little confused from two things too:
>
> - according to useradd man page, USERGROUPS_ENAB variable in
> "/etc/login.defs" controls, when by default will be for users created
> their own primary group or not. Thus set "USERGROUPS_ENAB no" should
> disable this "feature". But in this file on Fedora distros
> (F14-F16) is weird comment
> "This enables userdel to remove user groups if no members exist"

According to some admin techniques, which are not universal. The
"user" series of user admin tools are by no means the only ways to
manage users.

> - "/etc/login.defs" defines variable "GID_MIN *500". In F16 are min
> UID/GID raised to 1000 and arrives two new variables
> SYS_UID_MIN * * 201
> SYS_UID_MAX * * 999

Which seems both sensible and weird to me.

Sensible because it's nice to have lots of headroom for inventing
system users, and weird because it wasn't so long since they added
GID_MIN and set it at 500, and made the associated move from masking
users out of the login dialog by their login shell to masking them out
by lack of password -- which looks to me like a vulnerability just
waiting to happen.

> Poses this that what GID=100 are still "normal user" GID and may be
> used as primary (and only) user group ID?

Probably something they forgot to change. On the other hand, if you
have a default user group, whether assigned primary or secondary, you
don't want to ever assign a login user the same uid number.

> Thanks, Franta

--
Joel Rees
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 12-31-2011, 03:06 PM
Joel Rees
 
Default creating all users with one primary group?

On Sat, Dec 31, 2011 at 9:29 PM, Frantisek Hanzlik <franta@hanzlici.cz> wrote:
> Has anyone experience with situation, when all users on Fedora
> distro have same primary group (i.e. is not created extra group
> for every user?

It's common in some distributions.

(Mac OS X, 10.0 - 10.2 had a common "staff" group into which all login
users went. From 10.3, I think, they went with making a primary group
per user. Of course, that's BSD, no Linux.)

> Namely I'm asking when all programs will be working without problems.
> I want use for all users predefined group "users" (GID=100), which
> seems be intended for that situation; in "/etc/default/useradd" is
> this group defined.

I think that group has been used both ways, actually -- primary or
secondary group for login users. Diferent requirements do different
things there.

> I'm little confused from two things too:
>
> - according to useradd man page, USERGROUPS_ENAB variable in
> "/etc/login.defs" controls, when by default will be for users created
> their own primary group or not. Thus set "USERGROUPS_ENAB no" should
> disable this "feature". But in this file on Fedora distros
> (F14-F16) is weird comment
> "This enables userdel to remove user groups if no members exist"

According to some admin techniques, which are not universal. The
"user" series of user admin tools are by no means the only ways to
manage users.

> - "/etc/login.defs" defines variable "GID_MIN *500". In F16 are min
> UID/GID raised to 1000 and arrives two new variables
> SYS_UID_MIN * * 201
> SYS_UID_MAX * * 999

Which seems both sensible and weird to me.

Sensible because it's nice to have lots of headroom for inventing
system users, and weird because it wasn't so long since they added
GID_MIN and set it at 500, and made the associated move from masking
users out of the login dialog by their login shell to masking them out
by lack of password -- which looks to me like a vulnerability just
waiting to happen.

> Poses this that what GID=100 are still "normal user" GID and may be
> used as primary (and only) user group ID?

Probably something they forgot to change. On the other hand, if you
have a default user group, whether assigned primary or secondary, you
don't want to ever assign a login user the same uid number.

> Thanks, Franta

--
Joel Rees
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 

Thread Tools




All times are GMT. The time now is 12:49 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org