> But the original idea behind groups as far as I understand it was that > they could define a project. The way RH have implemented it, all projects > have one person and projects = persons. The way Debian have implemented > it, all users are in the same project = there is only one project. > > The issue really of course is that you (ordinary hardworking(?) users) > can't grant other people access to your data at all. You have to get the > sysadmin to do it for you. So in a busy environment, sysadmins are likely > to welcome such trivial requests with the open arms of prevarication. > Sometimes boxes of chocolates or bunches of flowers may make this a rather > quicker procedure - or just being nice can work wonders I believe. > > The other way is to use POSIX ACLs - which are a great improvement because > they give the user the control. But again these only define a user, > groups or other - to define access to a group of people still requires > someone to define the group. Back to charming the sysadmin. > Either way, for usera to grant access for certain users to usera's files via group permissions requires sysadmin whether Debian or RH. Neither is sloppy. You may feel that RH's creates more clutter compared to Debian's all new users belong to one group but it does not create sloppy security. The sysadmin can still create either scenario in either distro but both will still need per user groups to allow user to limit access to certain other users only via group permissions.