Default group
John Moser
john.r.moser at gmail.com
Wed Oct 17 13:59:38 UTC 2012
Currently each Ubuntu user gets his own group, so:
jsmith:jsmith
lmanning:lmanning
rpaul:rpaul
and so on. I feel this is a lot of clutter for no benefit.
First let's discuss the benefit.
Since each user has his own group, the administrator can grant other
users access to each others' files in a fine-grained manner by adding
them to other users' groups. This seems useful, but consider:
- To modify the groups a user is in, you must have administrative access
- As long as you're modifying users anyway, you're in a position to
create a group and add both users to it
- This is better accomplished with POSIX ACLs, which users can
control on files they own
That third one, by the way, suggests that we should have a Windows NT
style permissions tab in Nautilus' file properties such that you can
add a user and alter their permissions. UNIX permissions allow you to
set Owner, Group, Owner access, Group access, Other access; POSIX ACLs
allow additional Users and Groups to be added with their own
permissions as well. Thus:
Creator/Owner: [User]
Group: [Group]
Permissions:
::Creator/Owner: rwx
::Group: ---
::Everyone: ---
::group=developers: rwx
::group=managers: r-x
etc
The above suggests to me that any such benefit from giving users
individual groups is quickly mitigated because either A) the users are
all administrators, so sharing versus isolating files is wholly
imaginary; or B) giving fine-grained access via group membership
requires administrator mediation.
I suggest all users should go into group 'users' as the default group,
with $HOME default to 700 and in the group 'users'. A umask of 027 or
the traditional 022 is still viable: the files in $HOME are not
visible because you cannot list the contents of $HOME (not readable)
or change into it to access the files within (not executable). A user
can grant permissions to other users to access his files simply by
making the directory readable by them--by 'users' or others (thus
everyone) or by fine-grained POSIX ACLs selecting for individual users
and groups.
More information about the Ubuntu-devel-discuss
mailing list