Re: Is it me or is it sudo?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Mar 31, 2012 at 4:39 AM, James Wilkinson
<fedora@xxxxxxxxxxxxxxxxxx> wrote:
> Reindl Harald wrote:
>> sounds more you do not understand what ACLs are for
>>
>> how could a private user group replace ACLs?
>> if you have different users and groups which needs
>> defined permissions you will always need ACLs because
>> chmod can only reflect the primary group
>>
>> for restrict access to a single user you need no ACL
>> chmod 600 does this for you
>
> It was in the old Red Hat Linux manuals (for example, section 6.4.1 of
> ftp://archive.download.redhat.com/pub/redhat/linux/7.3/en/doc/RH-DOCS/pdf-en/rhl-rg-en.pdf):
>
>    IF you want a shared directory (say a project directory) writeable
>    by some but not all users,
>    AND IF you don’t want to use ACLs¹,
>    THEN you need to have that directory and everything in it owned by a
>    suitable group (and set to be group-writeable).
>
>    IF you don’t want to have users having to play around with
>    ownership and permissions all the time,
>    THEN you need to have the setgid bit on the folder set (which makes
>    all new files and directories automatically have the appropriate
>    group)
>    AND you need to have umask set to 002 (which makes all new files and
>    directories group-writeable).
>
> From there, it follows that the easiest way to do this is to make 002
> the default umask, which means that all new files and directories
> created by normal users have these permissions. That means that if you
> want files that only their owner can write to, you need a per-user
> group.
>
> It makes perfect sense.
>
> James.
>
> ¹ This predated Linux ACLs, anyway.

And, of course, there are plenty of other ways to use per-user groups,
once you get your head around the idea that there is no one-to-one
relationship between user-ids and physical users.

One thing we didn't write back then, that we should have, was a
sub-user tool similar to the user tool --

subuser add/edit/delete/etc

It would have to incorporate user types, implicit/default quota
heuristics and other stuff that we didn't want to deal with then, but
find ourselves dealing with now, and it would use the setuid bit, so
each user could set up and get rid of his/her own private user/group
combos. Combine that with sudo, and we could have had sandboxed apps
years and years ago. (With a bit of work, but not near what ACLs and
their ilk cost us.)

That was the unix way, and we have parted from it to our detriment.

--
Joel Rees
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org


[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux