[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Newbie ?: setgid /home

On Fri, Feb 11, 2000 at 07:15:15PM -0500, John Dalbec wrote:
> I just noticed that my /home partition has the setgid permission bit.
> Is this normal for Debian?  Security problem?  Hacked system?
> TIA,
> John

its not a security problem, though I am not entirely sure of the

here is what it does:

on *BSD systems whenever a file is created it's group is set to the
group that owns the parent directory, on SysV like systems (which
linux is more similar) the group of a newly created file is always
that of the creating user's primary group (in /etc/passwd every user
has a numeric User ID (UID) and a numeric Group ID (GID), the GID
corrosponds to a group in /etc/group) what the setgid bit on a
directory does in linux (and possibly other SysV systems) is revert
the file creation behavior to BSD, now files created under /home will
always have the group set to that of /home (which is staff i think)

now by default debian uses the `user private group' scheme when
creating users, this means that when a user is created a new group
with the same name and numeric ID is created as the users primary
group. so when i created by account `eb' it was created as uid 1000
with primary group being gid 1000 (which is a group called `eb' with
no members) and my home directory was created with its owner and group
set to eb.eb and the setgid bit set. 

the point of that is so you can have a umask of 002 without giving
everyone in your group write permission to everything (since your
primary group has only you as a member) then when you create a new
directory you want to share with others you can change its group to
one that does have other users as members, the setgid bit ensures that
files you create thier get the shared group instead of your private

personally I prefer to remove the setgid bit from /home and change its
group to root and its permissions to 755 (they are default to group
writable)  I also don't usually keep the setgid bit on the home
directories since its really not needed, its only needed when a user
wants to have a directory and its contents always have different group
membership then thier primary group, in that case they can set the
setgid bit themself IMO.

(I also think the 002 umask is gross, 027 seems more logical to
me.. (with the main home directory group set to `users' which all
shell accounts are a member of, and a mode of 710) YMMV of course.)

Ethan Benson

Reply to: