user private groups and a src group
I learned about this scheme from Ian Jackson, though apparently y'all have
been discussing this since before I got there. The intention of the scheme
is to get useful default access for both home directories/files and project
directories/files. For the benefit of the other latecomers (and to
double-check my understanding) this is the idea:
* Set the system default umask to 006 (or 002 I suppose).
* Set the default group of each user to their own private
group (e.g. a group with the same name and id as the user,
whose only member is the user).
* Set each user home directory's group to the user's private
group. The default permissions, e.g. -rwxrwx--x, will not
actually grant read or write access to anyone but the user.
* Enroll each source maintainer in a group named "src".
* Set the group of /usr/src to src. The group of any
subdirectories created by members of src will default to
src and the default permissions (again, -rwxrwx--x) will
allow all members of src to collaborate on maintenance of
the software in /usr/src.
I was a little surprised to see this being promoted, because
files/subdirectories do not inherit the group of their parent directory in
SYSV (which, unfortunately, is what Linux tries to be). However, this
scheme solves an annoying problem and I was anxious to try it.
After converting my system to the new private group scheme, I found it
didn't work!
`groups birkholz` shows that I'm a member of only one group -- my default,
private group. According to /etc/group, I should be a member of four
groups: birkholz, wheel, users, project. Yet I cannot write files having
group write permission and group project (unless I also own the file).
Also, the groups command (or Linux itself) doesn't seem to be working quite
right for root either. `groups` shows the root's default private group
(root) and six others (bin daemon sys adm disk wheel) but not all of them
(not users or project).
Perhaps there's a syntax error in my /etc/group that is the cause of the
trouble. If so, other people are successfully enrolled in more than one
group. Please send me a message if you are one of those.
Perhaps I'm missing a kernel patch that allows a user to be a member of a
reasonable number of groups (namely, more than 7). I have upgraded to a
vanilla pl15 kernel. Please let me know if you have patches I need.
Does anyone have this private group scheme working? If we can agree to use
it, a few things in the Debian distribution can be changed to provide this
functionality by default.
What say ye?
Matthew Birkholz
birkholz@martigny.ai.mit.edu
Reply to: