Default group
Marc Deslauriers
marc.deslauriers at canonical.com
Wed Oct 17 14:44:34 UTC 2012
On 12-10-17 09:59 AM, John Moser wrote:
> I suggest all users should go into group 'users' as the default group,
> with $HOME default to 700 and in the group 'users'. A umask of 027 or
> the traditional 022 is still viable: the files in $HOME are not
> visible because you cannot list the contents of $HOME (not readable)
> or change into it to access the files within (not executable). A user
> can grant permissions to other users to access his files simply by
> making the directory readable by them--by 'users' or others (thus
> everyone) or by fine-grained POSIX ACLs selecting for individual users
> and groups.
>
We want users to be able to share files with other users. Having $HOME
be 700 defeats that purpose. See:
https://wiki.ubuntu.com/SecurityTeam/Policies#Permissive_Home_Directory_Access
Also, one of the reasons for using User Private Groups, is to be able to
create directories that are used by multiple users, by setting the
setgid on the directory. With a default umask of 022, users need to
manually set group permissions each time they create a file.
Marc.
--
Marc Deslauriers
Ubuntu Security Engineer | http://www.ubuntu.com/
Canonical Ltd. | http://www.canonical.com/
More information about the Ubuntu-devel-discuss
mailing list