[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Howto NFS shared writable space



Colin Watson wrote:
> On Mon, Mar 10, 2003 at 10:22:02PM +0100, R?mi Letot wrote:
> > Now why is debian's default 022 if 02 is safe ?
> 
> Mostly because 002 is *not* safe if you don't go with the
> one-user-per-group thing.

Let me guess at another reason.  Because programs like postfix, exim,
sendmail, ssh, gpg, etc. check that files $HOME are not group writable
by default.  If those programs are not all modified to allow group
writability then they refuse to honor user .forward files, .ssh/
files, etc.  User's need to remember to chmod go-w those specifically.
Which is yet more that the user needs to know and if they don't the
have problems getting software to work.  (BTW I don't know if Debian's
versions of those programs allow group writability or not.)

> Both debian.org machines and my workplace use a single group for all
> users (which I happen to think is a pain, but hey);

My work place too.  The legacy of 15 years.  Everyone is a 'user'.
And now we also have shared groups too.  A mixed environment confusing
to all.  Sigh.

> the failure mode where somebody sets that up without realizing that
> the default umask needs to be 022 is worse than the failure mode
> where people end up with files that need to be group-writeable but
> aren't, so Debian goes with the more generally safe default.

And probably the >90% case anyway.  I suspect that most people running
GNU/Linux are doing so on standalone systems where they are not
working with other people on shared files.  For example, almost all
software tools are designed to work in private sandboxes with cvs
interfacing to and controlling the shared area.  Therefore few users
really ever need a way to work on shared files.  Those that do need it
can set it up.

But I have wondered why umask is in the /etc/skel/* files redundantly
with /etc/profile.  That propagates the changes into the user's
profiles which once embedded are a much more delicate problem to
change.

Bob

Attachment: pgp9mQo5PKp5O.pgp
Description: PGP signature


Reply to: