Rehashing My File Permissions Understanding(or lack of it)
Paul Howarth
paul at city-fan.org
Wed Aug 31 08:59:00 UTC 2005
Mark Sargent wrote:
> Paul Howarth wrote:
>
>> Jay Paulson wrote:
>>
>>> I was under the impression that changing the umask was a possible
>>> security risk. Am I correct in thinking that?
>>
>>
>>
>> Possibly, possibly not. Using a umask of 002 instead of 022 is
>> something that Red Hat/Fedora specifically cater for. What this means
>> is that woth a umask of 002, files are created with group write
>> permissions by default, so if your default group is shared with a
>> number of other people then they will be able to write to your files
>> by default. However, in Red Hat/Fedora, every new user is created with
>> their own group by default, which isn't shared with any other user. So
>> enabling group write permission isn't a big issue. What this then lets
>> you do is to create a separate group for shared data, and then
>> everyone's default umask being 002 (if set that way) then makes it
>> easy for all members to create and edit files with this shared groupid.
>>
>> Paul.
>>
> Hi All,
>
> so, in theory, if there were a way to set a umask specifically for a
> certain group, it'd be great. For example; when user xman, who is a
> member of say, share2 group, creates a new file in a particular dir, the
> new file would be writable by all within that same group. Would that
> just make things too messy, OR, am I just not getting it.? Cheers.
You're right that this would be great, but unfortunately I don't know of
any way of implementing it.
Well, actually that's not quite true. Using samba you can do things like
this by forcing permissions and uids/gids. But for access to local files
and directories, I don't know of a way of doing this in a
directory-specific way.
Do note thought that if your users all have their own groups, as is the
default in Red Hat/Fedora, you should be safe to set the umask to 002
for all users. If you then create a directory /path/to/dir and do:
# chgrp share2 /path/to/dir
# chmod g+s /path/to/dir
then any files/directories created in that directory should get the
right group ID and permissions.
Paul.
More information about the fedora-list
mailing list