Hi Folks, I recently noticed something which struck me as strange.
In the past, on my older Linux distributions, an "ordinary" user gets set up as user=<username> and group="users". Thus, for instance, on those systems an 'ls -l' gives the likes of
-rw-r--r-- 1 ted users 16 Apr 2 2008 - drwxr-xr-x 3 ted users 20480 Jun 3 2008 00_junk drwxr-xr-x 2 ted users 4096 May 10 2005 00_misc drwxr-xr-x 2 ted users 4096 Jan 31 2008 00_realplay
However, on recent Debian (since Etch), I see that it is user=<username> and group=<username>. Thus now 'ls -l' gives
-rw------- 1 ted ted 4643403 2009-06-02 18:56 03-Iii_Sarabanda.mp3 -rw------- 1 ted ted 3476861 2008-04-27 21:38 2nd_week_004.jpg -rw------- 1 ted ted 2879890 2008-04-27 21:38 2nd_week_006.jpg
So now I am user "ted" and am in group "ted"! This seems to have happened "in the background" without my being aware that it was going to happen -- I just happened to notice that it had happened!
Is there a good reason for this change?
And what would be the best way to revert to the old way (especially when creating new users)?
With thanks, Ted.
-------------------------------------------------------------------- E-Mail: (Ted Harding) Ted.Harding@manchester.ac.uk Fax-to-email: +44 (0)870 094 0861 Date: 14-Feb-10 Time: 22:10:47 ------------------------------ XFMail ------------------------------
I don't have the answer to your question Ted but I have also noticed this in Ubuntu and CentOS!
Just an observation.
On Sun, Feb 14, 2010 at 10:19:54PM +0000, James Bensley wrote:
I don't have the answer to your question Ted but I have also noticed this in Ubuntu and CentOS!
Just an observation.
Yes, it seems to be the default on Ubuntu, each user has their own group created for them.
I suppose there *is* a possible reason for this. If, say, user 'chris' wants to make his files available to other users then those other users can be added to group 'chris'. This is more specific than having to add them to group 'users' which would give them access to files of any user in group 'users'.
Chris G wrote:
I suppose there *is* a possible reason for this. If, say, user 'chris' wants to make his files available to other users then those other users can be added to group 'chris'. This is more specific than having to add them to group 'users' which would give them access to files of any user in group 'users'.
That's not a good idea, because that group has rights for *all* your files, not just the ones you want to share. So if you happen to have group-writable permissions on say your shell's dot files or executables in a ~/bin directory (not that you should), then your account can easily be hacked.
If you want to share files, the recommended way is to create a separate directory with appropriate permissions. See for example http://www.oreillynet.com/onlamp/blog/2006/09/using_user_private_groups.html .
-- Martijn
On Mon, Feb 15, 2010 at 09:22:24AM +0000, Martijn Koster wrote:
Chris G wrote:
I suppose there *is* a possible reason for this. If, say, user 'chris' wants to make his files available to other users then those other users can be added to group 'chris'. This is more specific than having to add them to group 'users' which would give them access to files of any user in group 'users'.
That's not a good idea, because that group has rights for *all* your files, not just the ones you want to share.
No it doesn't, it depends on which files you give group read/write permissions to. So if my umask is set up to allow only me to see my files I get:-
-rw------- 1 chris chris 938 2010-02-01 14:06 23-09-2009-13-25.rst -rw------- 1 chris chris 477 2010-02-01 14:05 27-10-2009-23-11.rst -rw------- 1 chris users 4754 2008-11-26 10:39 GA-EG31M-S2 -rw------- 1 chris users 4700 2008-11-26 10:39 GA-EG31MF-S2
Then I decide I want some user to see GA-EG31M-S2, I change the permissions for that file to:-
-rw-r----- 1 chris users 4754 2008-11-26 10:39 GA-EG31M-S2
(OK, those are some old files with 'users' group but the idea is right)
(Ted Harding) wrote:
Is there a good reason for this change?
See the links provided in the references for
http://en.wikipedia.org/wiki/File_system_permissions#User_private_group
and the rationale provided in
http://www.redhat.com/docs/manuals/linux/RHL-6.2-Manual/ref-guide/s1-sysadmi...
-- Martijn
On Sun, 2010-02-14 at 22:11 +0000, Ted.Harding@manchester.ac.uk wrote:
Hi Folks, I recently noticed something which struck me as strange.
In the past, on my older Linux distributions, an "ordinary" user gets set up as user=<username> and group="users". Thus, for instance, on those systems an 'ls -l' gives the likes of
-rw-r--r-- 1 ted users 16 Apr 2 2008 - drwxr-xr-x 3 ted users 20480 Jun 3 2008 00_junk drwxr-xr-x 2 ted users 4096 May 10 2005 00_misc drwxr-xr-x 2 ted users 4096 Jan 31 2008 00_realplay
However, on recent Debian (since Etch), I see that it is user=<username> and group=<username>. Thus now 'ls -l' gives
-rw------- 1 ted ted 4643403 2009-06-02 18:56 03-Iii_Sarabanda.mp3 -rw------- 1 ted ted 3476861 2008-04-27 21:38 2nd_week_004.jpg -rw------- 1 ted ted 2879890 2008-04-27 21:38 2nd_week_006.jpg
As far as I know the reason for this is that the umask is often set rather open so files are often readable and sometimes even writable to other people in the same group. Making each user a member of a unique per-use group closes down this potential insecurity.
There is some more information in the manual entry to adduser and there is a setting USERGROUPS in the /etc/adduser.conf file which controls this.
Steve.
On 15-Feb-10 11:12:25, Steve Fosdick wrote:
On Sun, 2010-02-14 at 22:11 +0000, Ted.Harding@manchester.ac.uk wrote:
Hi Folks, I recently noticed something which struck me as strange.
In the past, on my older Linux distributions, an "ordinary" user gets set up as user=<username> and group="users". Thus, for instance, on those systems an 'ls -l' gives the likes of
-rw-r--r-- 1 ted users 16 Apr 2 2008 - drwxr-xr-x 3 ted users 20480 Jun 3 2008 00_junk drwxr-xr-x 2 ted users 4096 May 10 2005 00_misc drwxr-xr-x 2 ted users 4096 Jan 31 2008 00_realplay
However, on recent Debian (since Etch), I see that it is user=<username> and group=<username>. Thus now 'ls -l' gives
-rw------- 1 ted ted 4643403 2009-06-02 18:56 03-Iii_Sarabanda.mp3 -rw------- 1 ted ted 3476861 2008-04-27 21:38 2nd_week_004.jpg -rw------- 1 ted ted 2879890 2008-04-27 21:38 2nd_week_006.jpg
As far as I know the reason for this is that the umask is often set rather open so files are often readable and sometimes even writable to other people in the same group. Making each user a member of a unique per-use group closes down this potential insecurity.
There is some more information in the manual entry to adduser and there is a setting USERGROUPS in the /etc/adduser.conf file which controls this.
Steve.
Many thanks for the pointer to /etc/adduser.conf. Steve! That looks like what I need for sorting this out. Ted.
-------------------------------------------------------------------- E-Mail: (Ted Harding) Ted.Harding@manchester.ac.uk Fax-to-email: +44 (0)870 094 0861 Date: 15-Feb-10 Time: 11:21:28 ------------------------------ XFMail ------------------------------
-
Chris G -
James Bensley -
Martijn Koster -
Steve Fosdick -
Ted.Harding@manchester.ac.uk