On Wed, May 24, 2000 at 01:20:08PM -0700, Joey Hess wrote: [ snip ] > Right, user groups are a good thing. However, I fail to see why making > home sgid is necessary for user groups to work at all, or is even > related to user groups. > > The user group system allows you to set your umask to 002, thus making > group writable files by default without having to worry about anyone > else being in your user group and being able to write to group writable > files files in eg, your home directory. This makes it easy to make other > groups, which multiple users *are* in, and have those groups share sgid > directories that are common workspaces for all group memebers, all without > having to mess with your umask or anything. This is (arguably) good. > > But your user group is the default group files you create are owned by, > if you are not in one of the abovementioned sgid directories. So why > make your home directory sgid? I see no benefits at all. I can remove > the sgid bit, and everything continues to function exactly as it did > before, except you can untar a tarball into a subdirectory of your home > directory, without fear than tarring it back up will make all directories > in the new tarball sgid. > > So what do sgid home directories buy us? As far as I can tell, they ease the above setup (shared sgid directories) for the newbie. Observe: : nnorman@canaris:~ $ ll -d ~ : drwxr-sr-x 32 nnorman nnorman 4096 May 24 16:24 /home/nnorman/ : nnorman@canaris:~ $ mkdir test : nnorman@canaris:~ $ rmdir test : nnorman@canaris:~ $ ls -ld ~ : drwxr-sr-x 32 nnorman nnorman 4096 May 24 16:24 /home/nnorman/ : nnorman@canaris:~ $ mkdir test : nnorman@canaris:~ $ ls -ld test : drwxrwsr-x 2 nnorman nnorman 4096 May 24 16:25 test/ : nnorman@canaris:~ $ chgrp mp3 test : nnorman@canaris:~ $ ls -ld test : drwxrwsr-x 2 nnorman mp3 4096 May 24 16:25 test/ : nnorman@canaris:~ $ touch test/testfile : nnorman@canaris:~ $ ls -l test/testfile : -rw-rw-r-- 1 nnorman mp3 0 May 24 16:25 test/testfile Other than changing group ownership on directory "test". I didn't have to change any attribute of that directory. Granted, "chmod 2775 test" or "chmod g+s test" would work fine, but most new users seem to have severe problems with suid/sgid bits, and since they fear them they don't use them. A weak argument to be sure, but it's the only benefit I can see :) -- Nathan Norman "Eschew Obfuscation" Network Engineer GPG Key ID 1024D/51F98BB7 http://home.midco.net/~nnorman/ Key fingerprint = C5F4 A147 416C E0BF AB73 8BEF F0C8 255C 51F9 8BB7
Attachment:
pgp8fnrDq8d4m.pgp
Description: PGP signature