This line " It makes 0700 the same as 0770. " in the context of one group per user makes perfect sense to me...... What John is getting at is that if one user is assigned their own individual group, then the concept of groups for security granularity is negated which essentially removes the middle part of the unix permissions syntax as the group and user are one and the same, so 0700 is 0770, and in this instance your comment "0700 is and will always be different from 0770" does not apply.... you are right in that 0700 is different to 0770 but the security upshot is the same if each user has their own unique group and in that scenario there is no functional difference between 0700 and 0770. This is the essence of John's statement which I think you may have missed.... Hope this makes it clear... regards Pete Feizhou wrote: > John Logsdon wrote: > >> Well I agree you can be in as many groups as you like. But what I meant >> was that making your primary group the same as the user means you >> have no >> granularity of control without adding extra groups. It makes 0700 the >> same as 0770. > > > Huh? What are you on about? 0700 is and will always be different from > 0770. > > Making the primary group the same as the user allows the user to > grant/deny access to files for those who are part of his group. > >> >> I suppose as groups essentially relax security, giving each user his/her >> own groups should make a tighter ship but in practice what people do >> is to >> give world access when they shouldn't. The proper solution is to add a >> group of course. Few do this I think. > > > Excuse me? You are not coherent. What does each user having his own > group and the user granting access to others have to do with sloppy > access? The group permissions allows the user to specify that others > don't get to access files while those users who are part of the user's > group do. This MAKES group permissions ever more relevant, not > immediately pointless. > >> >> But my real rant was against the sloppy access controls at installation >> time which means that the regular user can look at all sorts of system >> things they shouldn't. I don't know of any automatic hardening >> procedure >> that can correct this. >> > > Example? What should not a user look at assuming they know enough to > even look for the file. > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > http://lists.centos.org/mailman/listinfo/centos