On 5/10/2010 1:07 PM, Klaus Ethgen wrote: > I still makes sense. The user will not win with the lazier umask but he > will probably loose security. > > See the case the user wants another person in his own group to share > files. Then he might set the files readable for his group only but not > for world. So the other user can read this data. But he cannot write it > as it might be intended. > > Setting the umask to 002 let the other user _edit_ all files the user > did create in the past with that umask factual giving away most of his > files. The point of UPG is to not put users you don't trust in your private group. That's why it's called "private". :) If you don't trust users in your UPG, then the administrator should setup a different group, and put the necessary users in that group. > The better Idea would be to set the user mask to 027 which then add a > new value of security. > > If a user want the group to have write permissions this should be set > explicit. By the way, with zsh you can make directory profiles which > set the umask depending on the directory. I'm all for increasing security, but it always comes at a cost. Nothing in security is free. In this case, the convenience of setting up group collaboration directories becomes a pain to administer, as the group write bit is never set, and cron jobs, profile-specific umask values, or FACLs are used instead, adding to the complexity of the system. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O
Attachment:
signature.asc
Description: OpenPGP digital signature