[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [lmi] Multiuser *nix configuration
From: |
Greg Chicares |
Subject: |
Re: [lmi] Multiuser *nix configuration |
Date: |
Fri, 1 May 2020 21:14:42 +0000 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 |
On 2020-05-01 16:31, Vadim Zeitlin wrote:
> On Fri, 1 May 2020 16:09:31 +0000 Greg Chicares <address@hidden> wrote:
>
> GC> Vadim--Is there any reason not to do the following on our
> GC> linux server?
> GC> - umask 002
>
> Yes, this seems reasonable, especially if each user still has their own
> group (instead of just being part of some "users" group, but I think all
> Linux distributions now create per-user group by default),
Unfortunately, no, we're all part of some "users" group.
> and so files
> under their home remain only writable by them and not by everybody.
Below, I discuss a workaround that would achieve that result.
> GC> - set GID bit on all directories we create
>
> This is definitely perfectly normal for the directories that are supposed
> to contain the files you collaborate on. E.g. it is the case for the shared
> git repositories.
[That's the intention, but I can demonstrate that the git
maintainers haven't achieved it (even after the FETCH_HEAD
defect is fixed), so we may need a git post-update hook
to adjust permissions.]
> GC> We can't create users. But I have been able to create an "lmi"
> GC> group and add us both to it.
>
> I didn't even think about it, but we're indeed very lucky that you can
> create groups.
I suppose that's just the way LDAP (or whatever) is set up.
This works:
https://lists.nongnu.org/archive/html/lmi/2019-09/msg00022.html
| # Set up an 'lmi' group...
| sudo groupadd lmi
| # for U = my id and U = Kim's id both:
| sudo usermod -a -G lmi ${U}
and seems to affect only /etc/group , but this fails:
$sudo usermod -g lmi my_secret_id
usermod: user '...' does not exist in /etc/passwd
Although I can't change my primary group permanently,
I can change it temporarily:
$newgrp lmi
$id -gn
lmi
so maybe we should do that in ~/.zshrc .
As for making /home/my_user readable by me only, I could
$sudo groupadd special_group_for_me_only
$sudo usermod -a -G special_group_for_me_only
and then Kim couldn't read it, except with sudo.
But I hesitate to do this, because something bad might
happen to my home directory if corporate IT removes my
special group.