Well apart from the furore that my comments generated (which I did put in a rant and apologise for!), these came from people who already are if not sysadmins, well capable of being so. I understand that by adding someone to your group, they can access your data. All of it. So you have an all or nothing scenario. And you can access someone else's data in the same manner. But the original idea behind groups as far as I understand it was that they could define a project. The way RH have implemented it, all projects have one person and projects = persons. The way Debian have implemented it, all users are in the same project = there is only one project. The issue really of course is that you (ordinary hardworking(?) users) can't grant other people access to your data at all. You have to get the sysadmin to do it for you. So in a busy environment, sysadmins are likely to welcome such trivial requests with the open arms of prevarication. Sometimes boxes of chocolates or bunches of flowers may make this a rather quicker procedure - or just being nice can work wonders I believe. The other way is to use POSIX ACLs - which are a great improvement because they give the user the control. But again these only define a user, groups or other - to define access to a group of people still requires someone to define the group. Back to charming the sysadmin. Still it makes for an interesting discussion. :-))) Pip pip John John Logsdon "Try to make things as simple Quantex Research Ltd, Manchester UK as possible but not simpler" j.logsdon@xxxxxxxxxxxxxxxxxxxx a.einstein@xxxxxxxxxxxxxx +44(0)161 445 4951/G:+44(0)7717758675 www.quantex-research.com On Tue, 24 May 2005, Peter Farrow wrote: > As you have pointed out it restricts the security granularity of the > system, which in turn will lead to other "work arounds" to achieve > better granlarity and those work arounds will ultimately lead to > sloppiness, making Johns point very valid indeed. > > I am glad you found it funny, its always best to keep a light hearted > approach and standback and laugh at yourself from time to time, it took > you long enough but you got there in the end, and not through any lack > of effort on your part either ;-) > > well done > > P. > > > Feizhou wrote: > > > Peter Farrow wrote: > > > >> "This allows usera to give userb but no others (other than root of > >> course) full permissions on files that usera wants to share with > >> userb (0770). How else can usera do this if not via usera's group > >> permissions" > >> > >> they cant if they are each in non joined groups, which is why 0770 is > >> the same as 0700 > > > > > > LOL. I cannot believe that the point was that because new users would > > be created with their own uid and gid and their home directory > > ownership set to the same makes a system more sloppy security wise. > > > > Other than this facilitating the future use/need for usera to allow > > only select users to access some of usera's files, it makes no > > difference to the 'security sloppiness' of the system. > > _______________________________________________ > > CentOS mailing list > > CentOS@xxxxxxxxxx > > http://lists.centos.org/mailman/listinfo/centos > > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > http://lists.centos.org/mailman/listinfo/centos >