creating all users with one primary group?

Joel Rees joel.rees at gmail.com
Sat Dec 31 15:45:58 UTC 2011 

On Sun, Jan 1, 2012 at 12:21 AM, Reindl Harald <h.reindl at thelounge.net> wrote:
>
>
> Am 31.12.2011 16:11, schrieb Dave Ihnat:
>> On Sat, Dec 31, 2011 at 02:31:04PM +0100, Reindl Harald wrote:
>>> what have "/etc/login.defs" to do with the fact that there is
>>> simply no need to have a personal group for a user at all?
>>
>> You're probably not thinking about multiple users on a relatively secure
>> system.
>
> oh yes i consider
>
> I *think*, if I recall correctly, that AT&T System III & V put
>> everyone in the same group.  This is a possible security breach, since any
>> executable/directory/file that might grant rights to that group would be
>> open to exploit by anyone in the group
>
> yes and no
>
> if i need that i do chmod 700 for folders and chmod 600 for files
> no need to create a group for each user
>
>> So, from a security point of view, it makes a lot more sense to assign each
>> user to their own group, and only let them in shared groups by deliberate
>> assignment.  It doesn't cost anything in terms of resources or performance.
>
> froma security point of view abvoe chmod's are making much more sense
>
> and if you need finer restrictions you need ACL's where groups for each
> user does not make sense at all - you need in this case groups for several
> roles and assing matching ACL's

In other words, you really, really like ACLs.

> own groups for each user does not make sense at all

You keep asserting that.

I find them quite useful, because slapping ACLs on everything requires
a lot of processor time and disk space to support, and you think your
programs that update those lists have all the corner cases, and they
don't.

It's a lot easier to define non-login users for certain activities and
then share those groups, and when you do that, it makes total sense to
basically have every user in his own primary group. That was the
traditional way to do things in Unix since way before ACLs were added
to any large distribution of Unix.

Having every login user in its own primary group also helps when you
want to do certain kinds of sandboxing using sudo.

You apparently don't like to do things that way.

--
Joel Rees

More information about the users mailing list