John Logsdon wrote: > Well I agree you can be in as many groups as you like. But what I meant > was that making your primary group the same as the user means you have no > granularity of control without adding extra groups. It makes 0700 the > same as 0770. Huh? What are you on about? 0700 is and will always be different from 0770. Making the primary group the same as the user allows the user to grant/deny access to files for those who are part of his group. > > I suppose as groups essentially relax security, giving each user his/her > own groups should make a tighter ship but in practice what people do is to > give world access when they shouldn't. The proper solution is to add a > group of course. Few do this I think. Excuse me? You are not coherent. What does each user having his own group and the user granting access to others have to do with sloppy access? The group permissions allows the user to specify that others don't get to access files while those users who are part of the user's group do. This MAKES group permissions ever more relevant, not immediately pointless. > > But my real rant was against the sloppy access controls at installation > time which means that the regular user can look at all sorts of system > things they shouldn't. I don't know of any automatic hardening procedure > that can correct this. > Example? What should not a user look at assuming they know enough to even look for the file.