FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 07-03-2008, 03:40 PM
Florian Philipp
 
Default OT: Filesystem permissions

Hi list!

I'm a bit dissatisfied with the way umask and filesystem permissions
work and I'd like to know if a) this is due to misunderstanding on my
part and/or b) there is a clean workaround I'm unaware of.

Let's say I have a system with various users working on some sensible
data. Therefore I have to set up various security policies regarding
file permissions and so forth.

For example every $HOME-directory should be only readable to the user
himself (e.g. for user phil_fl: chown phil_flhil:fl; umask 0077 or
0007).

Then there might be a common folder for all users in a specific group
as a simple way of sharing files. These shall be accessible by every
user in the group but by none else, so for the user phil_fl and the
group users: chown phil_fl:users; umask 0007.

As we see, the umask itself isn't the problem (in this special case)
but the group is it, however, there might be cases in which need to
change both for special folders. How do I do this without needing any
interaction from the users?

Thanks in advance!

Florian Philipp
 
Old 07-03-2008, 03:52 PM
Alan McKinnon
 
Default OT: Filesystem permissions

On Thursday 03 July 2008, Florian Philipp wrote:
> Hi list!
>
> I'm a bit dissatisfied with the way umask and filesystem permissions
> work and I'd like to know if a) this is due to misunderstanding on my
> part and/or b) there is a clean workaround I'm unaware of.
>
> Let's say I have a system with various users working on some sensible
> data. Therefore I have to set up various security policies regarding
> file permissions and so forth.
>
> For example every $HOME-directory should be only readable to the user
> himself (e.g. for user phil_fl: chown phil_flhil:fl; umask 0077 or
> 0007).
>
> Then there might be a common folder for all users in a specific group
> as a simple way of sharing files. These shall be accessible by every
> user in the group but by none else, so for the user phil_fl and the
> group users: chown phil_fl:users; umask 0007.
>
> As we see, the umask itself isn't the problem (in this special case)
> but the group is it, however, there might be cases in which need to
> change both for special folders. How do I do this without needing any
> interaction from the users?

umask does nothing for you here, it is simply a default starting point
for the permissions of new files and directories and the user is
completely free to change it to anything they feel like.

Yes, this is by design. Yes, this is a very good thing :-)

You want to set the setgid bit on the containing directory and chgrp
that directory to the group involved.

A bit of googling will help you further, if you get stuck or have no
idea what I could possibly be on about, post back and I'll post the
full story. It's quite involved and if it were code, it would be a
heavily nested if clause

--
Alan McKinnon
alan dot mckinnon at gmail dot com

--
gentoo-user@lists.gentoo.org mailing list
 
Old 07-03-2008, 05:58 PM
Florian Philipp
 
Default OT: Filesystem permissions

On Thu, 3 Jul 2008 17:52:29 +0200
Alan McKinnon <alan.mckinnon@gmail.com> wrote:

> On Thursday 03 July 2008, Florian Philipp wrote:
> > Hi list!
> >
> > I'm a bit dissatisfied with the way umask and filesystem permissions
> > work and I'd like to know if a) this is due to misunderstanding on
> > my part and/or b) there is a clean workaround I'm unaware of.
> >
> > Let's say I have a system with various users working on some
> > sensible data. Therefore I have to set up various security policies
> > regarding file permissions and so forth.
> >
> > For example every $HOME-directory should be only readable to the
> > user himself (e.g. for user phil_fl: chown phil_flhil:fl; umask
> > 0077 or 0007).
> >
> > Then there might be a common folder for all users in a specific
> > group as a simple way of sharing files. These shall be accessible
> > by every user in the group but by none else, so for the user
> > phil_fl and the group users: chown phil_fl:users; umask 0007.
> >
> > As we see, the umask itself isn't the problem (in this special case)
> > but the group is it, however, there might be cases in which need to
> > change both for special folders. How do I do this without needing
> > any interaction from the users?
>
> umask does nothing for you here, it is simply a default starting
> point for the permissions of new files and directories and the user
> is completely free to change it to anything they feel like.
>
> Yes, this is by design. Yes, this is a very good thing :-)
>
> You want to set the setgid bit on the containing directory and chgrp
> that directory to the group involved.

Argh, of course!
I even read this stuff up this morning but I overlooked the paragraph!

Thanks!
 
Old 07-04-2008, 12:05 AM
Daniel Iliev
 
Default OT: Filesystem permissions

On Thu, 3 Jul 2008 17:40:01 +0200
Florian Philipp <lists@f_philipp.fastmail.net> wrote:

> Hi list!
>
> I'm a bit dissatisfied with the way umask and filesystem permissions
> work and I'd like to know if a) this is due to misunderstanding on my
> part and/or b) there is a clean workaround I'm unaware of.
>
> Let's say I have a system with various users working on some sensible
> data. Therefore I have to set up various security policies regarding
> file permissions and so forth.
>
> For example every $HOME-directory should be only readable to the user
> himself (e.g. for user phil_fl: chown phil_flhil:fl; umask 0077 or
> 0007).
>
> Then there might be a common folder for all users in a specific group
> as a simple way of sharing files. These shall be accessible by every
> user in the group but by none else, so for the user phil_fl and the
> group users: chown phil_fl:users; umask 0007.
>
> As we see, the umask itself isn't the problem (in this special case)
> but the group is it, however, there might be cases in which need to
> change both for special folders. How do I do this without needing any
> interaction from the users?
>
> Thanks in advance!
>
> Florian Philipp


AFAIK it was RedHat who introduced the so called "User Private Groups"
scheme which is convenient exactly for situations like yours. Gentoo
also uses that scheme by default.

In short, instead of creating all user accounts as members of the group
"users", now for every user account useradd(8) creates a "private"
group for the account in addition. "Peter" is created with main group
"Peter", "Ann" is created with main group "Ann" and so on.

If you wanted "Peter" and "Ann" to share a common folder, you have to
create a common group for them (e.g. "project") and add each of them to
that group. Then create a directory with owner "rootroject" and the
GID bit on. The GID bit makes the newly created files in the directory
to be owned by the group "project", instead by the group of the user
creating the file.

P.S.

This schema may be convenient for some things but as usual it also has
some disadvantages for others. I have asked here about one of the
disadvantages (my personal point of view) when I discovered there was a
new scheme:

http://thread.gmane.org/gmane.linux.gentoo.user/190110

--
Best regards,
Daniel
--
gentoo-user@lists.gentoo.org mailing list
 
Old 07-04-2008, 07:58 AM
Dirk Heinrichs
 
Default OT: Filesystem permissions

Am Donnerstag, 3. Juli 2008 schrieb Florian Philipp:

> Then there might be a common folder for all users in a specific group
> as a simple way of sharing files. These shall be accessible by every
> user in the group but by none else, so for the user phil_fl and the
> group users: chown phil_fl:users; umask 0007.

Forget umask, you have to adjust the permissions of that _directory_
accordingly:

chmod 770 groupdir

and, as others already wrote, eventually set the SGID bit so that all files
within are owned by the group you want.

You can later add permissions for other users or groups by using ACLs, see man
pages of setfacl and getfacl.

HTH...

Dirk
 
Old 07-04-2008, 08:01 AM
Dirk Heinrichs
 
Default OT: Filesystem permissions

Am Freitag, 4. Juli 2008 schrieb Dirk Heinrichs:

> You can later add permissions for other users or groups by using ACLs, see
> man pages of setfacl and getfacl.

...given that you have compiled your filesystem modules with ACL support.

Bye...

Dirk
 
Old 07-04-2008, 02:24 PM
Alan McKinnon
 
Default OT: Filesystem permissions

On Thursday 03 July 2008, Florian Philipp wrote:
> > You want to set the setgid bit on the containing directory and
> > chgrp that directory to the group involved.
>
> Argh, of course!
> I even read this stuff up this morning but I overlooked the
> paragraph!

In all likely-hood you will want to set the write bit for groups on as
well (for the setup to be truly useful as a group share). For that you
will need posix acls, there's no way to do it with just permissions and
defaults.

--
Alan McKinnon
alan dot mckinnon at gmail dot com

--
gentoo-user@lists.gentoo.org mailing list
 
Old 07-04-2008, 03:03 PM
Florian Philipp
 
Default OT: Filesystem permissions

On Fri, 4 Jul 2008 16:24:52 +0200
Alan McKinnon <alan.mckinnon@gmail.com> wrote:

> On Thursday 03 July 2008, Florian Philipp wrote:
> > > You want to set the setgid bit on the containing directory and
> > > chgrp that directory to the group involved.
> >
> > Argh, of course!
> > I even read this stuff up this morning but I overlooked the
> > paragraph!
>
> In all likely-hood you will want to set the write bit for groups on
> as well (for the setup to be truly useful as a group share). For that
> you will need posix acls, there's no way to do it with just
> permissions and defaults.
>

I've just set the umask 0007 in /etc/profile. With the rule that
every user has his own primary group (as it is default), this is
sufficient for my needs.

I haven't tested every application but at least konqueror seems to
respect this setting.

If I can avoid the usage of acls with a few global settings, I'm
willing to do so. The prospect of having two levels of filesystem
permissions, each only visible with different, dedicated tools, cause me
headaches.
 
Old 07-04-2008, 04:35 PM
Alan McKinnon
 
Default OT: Filesystem permissions

On Friday 04 July 2008, Florian Philipp wrote:

> I've just set the umask 0007 in /etc/profile. With the rule that
> every user has his own primary group (as it is default), this is
> sufficient for my needs.

Hmmm. That gives permissions:

rw-rw----

on every single new file created by every single user by default.

If you are happy with that, so be it. I would not be happy with that :-)


--
Alan McKinnon
alan dot mckinnon at gmail dot com

--
gentoo-user@lists.gentoo.org mailing list
 
Old 07-04-2008, 05:31 PM
Florian Philipp
 
Default OT: Filesystem permissions

On Fri, 4 Jul 2008 18:35:58 +0200
Alan McKinnon <alan.mckinnon@gmail.com> wrote:

> On Friday 04 July 2008, Florian Philipp wrote:
>
> > I've just set the umask 0007 in /etc/profile. With the rule that
> > every user has his own primary group (as it is default), this is
> > sufficient for my needs.
>
> Hmmm. That gives permissions:
>
> rw-rw----
>
> on every single new file created by every single user by default.
>
> If you are happy with that, so be it. I would not be happy with
> that :-)
>
>

Since every user has another primary group this doesn't cause problems.
Only on folders with SETGID where the group is changed by design this
umask causes other users to have write and read permissions and that's
what I wanted in the first place.
 

Thread Tools




All times are GMT. The time now is 05:23 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org