Re: creating all users with one primary group?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, Jan 1, 2012 at 12:21 AM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote:
>
>
> Am 31.12.2011 16:11, schrieb Dave Ihnat:
>> On Sat, Dec 31, 2011 at 02:31:04PM +0100, Reindl Harald wrote:
>>> what have "/etc/login.defs" to do with the fact that there is
>>> simply no need to have a personal group for a user at all?
>>
>> You're probably not thinking about multiple users on a relatively secure
>> system.
>
> oh yes i consider
>
> I *think*, if I recall correctly, that AT&T System III & V put
>> everyone in the same group.  This is a possible security breach, since any
>> executable/directory/file that might grant rights to that group would be
>> open to exploit by anyone in the group
>
> yes and no
>
> if i need that i do chmod 700 for folders and chmod 600 for files
> no need to create a group for each user
>
>> So, from a security point of view, it makes a lot more sense to assign each
>> user to their own group, and only let them in shared groups by deliberate
>> assignment.  It doesn't cost anything in terms of resources or performance.
>
> froma security point of view abvoe chmod's are making much more sense
>
> and if you need finer restrictions you need ACL's where groups for each
> user does not make sense at all - you need in this case groups for several
> roles and assing matching ACL's

In other words, you really, really like ACLs.

> own groups for each user does not make sense at all

You keep asserting that.

I find them quite useful, because slapping ACLs on everything requires
a lot of processor time and disk space to support, and you think your
programs that update those lists have all the corner cases, and they
don't.

It's a lot easier to define non-login users for certain activities and
then share those groups, and when you do that, it makes total sense to
basically have every user in his own primary group. That was the
traditional way to do things in Unix since way before ACLs were added
to any large distribution of Unix.

Having every login user in its own primary group also helps when you
want to do certain kinds of sandboxing using sudo.

You apparently don't like to do things that way.

--
Joel Rees
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux