[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: UPG and the default umask

On Tue, May 11, 2010 at 06:09:58PM -0700, Russ Allbery wrote:
> UPG without a umask of 002 is pointless.  One may as well just put all
> users in a users group.

Right, our default setup is a strange and basically meaningless blend of
two different approaches to user primary groups.

One approach would be for users to be in a shared group (typically
"users", but a project- or organization-specific group would also be
common) and would have a more restrictive default umask (probably 022,
or maybe something even more strictive like 077).  Users can than share
files with other members of their primary group by granting access using

The other approach is to use private groups, like we do in Debian, but
with a more permissive default umask (probably 002).  Collaboration is
then achieved by setting the setgid bit on a directory where the
collaborative work is being done.

Either of these approaches is OK.  User's files are not writable by
anybody but that user unless explicit steps are taken.

Our default settings, however, break both of these approaches.  The
first doesn't work because the group permissions are effectively
meaningless, since there isn't anybody but the user in the group.  The
second is broken because the umask is too restrictive, so changing the
group ownership of a file doesn't accomplish anything.

It would be interesting to see the discussion that lead to our current
default setup, if anybody feels like combing the archives...


Attachment: signature.asc
Description: Digital signature

Reply to: