Re: should not specify default group for users

To: kingdon@redhat.com (Jim Kingdon)
Cc: lsb-spec@lists.linuxbase.org, gk4@users.sourceforge.net
Subject: Re: should not specify default group for users
From: Alan Cox <alan@lxorguk.ukuu.org.uk>
Date: Tue, 21 Mar 2000 00:05:52 +0000 (GMT)
Message-id: <[🔎] E12XCBG-0003rp-00@the-village.bc.nu>
In-reply-to: <[🔎] 200003202202.RAA12585@devserv.devel.redhat.com> from "Jim Kingdon" at Mar 20, 2000 05:02:53 PM

> +Systems will typically put all end-users in the same group "users"
> +with the default umask of 022.  Other
> +systems (or system administrators) may put users
> +in their own group with the umask of 002.
> +Applications should not assume one or the other.

Neither the old or new clause reflect reality in the Linux world. Most
people are putting users in their own group. Some of them add them to an
all users group as well. This is a failure to document existing standards
therefore wrong (and it was wrong before you submitted the edit).

Things like the default umask should NEVER be in a standard. Its forcing 
policy on administrators, that sucks. (as an aside an 022 policy with a default
group is a serious security administration error allowing a successful
user account penetration by default to read compromise almost all files on the
system). If we are going to set a policy we should set one that works!

Putting it in is also pointless because:

- 	We allow administrators to change it (we have to)

Therefore: The software must be able to cope with any setup. 

Therefore: Specifying it doesn't help anyone

Therefore: We shouldnt specify it

We also need to recognize that in the current heavily internetworked world
that user and group policy isnt a Linux thing. Someone running 5000 seats
under LDAP isn't going to be pleased if some box starts ordering policy for
his network. 

The only policy we should enshrine is the legacy SYS5 tradition which is already
buried in things like Apache. That is uid < 100 and gid <100 are reserved for
system use. This is common across almost all unix and unix like platforms

IMHO at most should say (and I submit this to the LSB as an alternative)

----
Systems will put all normal users in the group 'users'. All normal users and
normal user groups will be above the uid/gid of 100. No system required uid
or gid is to be placed above uid/gid 99 as this may clash with real users
imported via NIS or LDAP from other Unix systems. Applications cannot
assume non system uids will be provided from the password file. The password
file format is undocumented by this standard. The *pwnam(3) calls must
be used to access it. 

Applications cannot assume any policy for the default umask or the default
directory permissions a user may have. Applications should enforce user
only file permissions on private files such as mailboxes.  The location of
the users home directory is also not defined by policy other than the
recommendations of the FHS and must be obtained by the *pwnam(3) calls.

When an application needs to add a user or a group to the system it must
invoke the useradd or groupadd applications.

Reply to:

References:
- should not specify default group for users
  - From: Jim Kingdon <kingdon@redhat.com>

Prev by Date: Re: should not specify default group for users
Next by Date: Re: should not specify default group for users
Previous by thread: Re: should not specify default group for users
Next by thread: Re: should not specify default group for users
Index(es):
- Date
- Thread