On Sat, Mar 31, 2012 at 7:04 PM, Tim <ignored_mailbox@xxxxxxxxxxxx> wrote: > On Fri, 2012-03-30 at 20:39 +0100, James Wilkinson wrote: >> From there, it follows that the easiest way to do this is to make 002 >> the default umask, which means that all new files and directories >> created by normal users have these permissions. That means that if you >> want files that only their owner can write to, you need a per-user >> group. > > It always struck me that personal files ought to have no group or world > permissions set by default. If you wanted your files to have those > extra permission set, then it ought to be done as a deliberate choice. Maybe "user-id" is mis-named. There are sure a lot of people who tend to see "user-id" and expect the one-to-one correspondence. I know the conflation caused me some frustration back in college, and I'm not sure I got it properly worked out until I put together a few openbsd systems. Anyway, it should be clear that a system administrator should not be logged in as a system administrator when he or she is just writing an e-mail scheduling meetings or something. But even ordinary (human) users should not be surfing the web as the user they logged in as, and I'm not talking about keeping my boss from checking my cache for visits to slashdot or whatever. As the system administrator for my home box, I want to be able to log in as a normal user that is not tainted by my the web sites I visited last time I logged in. That means I have a separate administrator user. I want one user-id/group-id pair for each bank I have to visit, so that, even if we can't get the banks to use special-purpose browsers for the money transactions, I can protect the bank data from the guys that want to mine my data for their gain, including the other banks. (Special purpose browsers are preferred, of course.) And when I need to go surfing through blogs for news, I don't want to do that with the user I logged in as. Even if/when we can get rid of the sloppy programming practices Microsoft and their ilk promote, we can't be sure we have every hole plugged, so it's just going to be safer to do that as a user that isn't allowed to log in. That means that, even though I log out of my "worker" user and log back in as my "play" user, I still want to spawn a nologin user from there to surf. (This is not pure paranoia. I checked out a company for a job and discovered that Google had flagged their site as containing malware, and the guy who ran the company did not have the financial means or motivation to hire someone to clean the server up. Scared of having to move off the vulnerable tools he was using, trying to meet a market window that was fast disappearing, all the excuses.) Incidentally, I'm doing this much now, using xhost local and sudo. (If you're curious, http://reiisi.blogspot.jp/2011/08/simple-sandbox-for-firefox.html is my blog from when I first got it running. I need to re-write that explanation, which is part of the reason I'm writing this long-winded post now. But I still have issues with the input method that I need to solve. And I need to write some scripts so I don't have to all the tweaks by hand every time.) And I glue it together with per-user groups. Without per-user groups, I would have to go through serious admin-level contortions to grab a download. Does that make sense? -- Joel Rees -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel