[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

user private groups and a src group

I learned about this scheme from Ian Jackson, though apparently y'all have
been discussing this since before I got there.  The intention of the scheme
is to get useful default access for both home directories/files and project
directories/files.  For the benefit of the other latecomers (and to
double-check my understanding) this is the idea:

      * Set the system default umask to 006 (or 002 I suppose).
      * Set the default group of each user to their own private
	group (e.g. a group with the same name and id as the user,
	whose only member is the user).
      * Set each user home directory's group to the user's private
	group.  The default permissions, e.g. -rwxrwx--x, will not
	actually grant read or write access to anyone but the user.
      * Enroll each source maintainer in a group named "src".
      * Set the group of /usr/src to src.  The group of any
	subdirectories created by members of src will default to
	src and the default permissions (again, -rwxrwx--x) will
	allow all members of src to collaborate on maintenance of
	the software in /usr/src.

I was a little surprised to see this being promoted, because
files/subdirectories do not inherit the group of their parent directory in
SYSV (which, unfortunately, is what Linux tries to be).  However, this
scheme solves an annoying problem and I was anxious to try it.

After converting my system to the new private group scheme, I found it
didn't work!

`groups birkholz` shows that I'm a member of only one group -- my default,
private group.  According to /etc/group, I should be a member of four
groups: birkholz, wheel, users, project.  Yet I cannot write files having
group write permission and group project (unless I also own the file).

Also, the groups command (or Linux itself) doesn't seem to be working quite
right for root either.  `groups` shows the root's default private group
(root) and six others (bin daemon sys adm disk wheel) but not all of them
(not users or project).

Perhaps there's a syntax error in my /etc/group that is the cause of the
trouble.  If so, other people are successfully enrolled in more than one
group.  Please send me a message if you are one of those.

Perhaps I'm missing a kernel patch that allows a user to be a member of a
reasonable number of groups (namely, more than 7).  I have upgraded to a
vanilla pl15 kernel.  Please let me know if you have patches I need.

Does anyone have this private group scheme working?  If we can agree to use
it, a few things in the Debian distribution can be changed to provide this
functionality by default.

What say ye?

Matthew Birkholz

Reply to: