lmi
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [lmi] Multiuser *nix configuration

From: Greg Chicares
Subject: Re: [lmi] Multiuser *nix configuration
Date: Fri, 1 May 2020 21:14:42 +0000
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 
On 2020-05-01 16:31, Vadim Zeitlin wrote:
> On Fri, 1 May 2020 16:09:31 +0000 Greg Chicares <address@hidden> wrote:
> 
> GC> Vadim--Is there any reason not to do the following on our
> GC> linux server?
> GC>  - umask 002
> 
>  Yes, this seems reasonable, especially if each user still has their own
> group (instead of just being part of some "users" group, but I think all
> Linux distributions now create per-user group by default),

Unfortunately, no, we're all part of some "users" group.

> and so files
> under their home remain only writable by them and not by everybody.

Below, I discuss a workaround that would achieve that result.

> GC>  - set GID bit on all directories we create
> 
>  This is definitely perfectly normal for the directories that are supposed
> to contain the files you collaborate on. E.g. it is the case for the shared
> git repositories.

[That's the intention, but I can demonstrate that the git
maintainers haven't achieved it (even after the FETCH_HEAD
defect is fixed), so we may need a git post-update hook
to adjust permissions.]

> GC> We can't create users. But I have been able to create an "lmi"
> GC> group and add us both to it.
> 
>  I didn't even think about it, but we're indeed very lucky that you can
> create groups.

I suppose that's just the way LDAP (or whatever) is set up.
This works:

https://lists.nongnu.org/archive/html/lmi/2019-09/msg00022.html
|  # Set up an 'lmi' group...
|  sudo groupadd lmi
|  # for U = my id and U = Kim's id both:
|  sudo usermod -a -G lmi ${U}

and seems to affect only /etc/group , but this fails:

  $sudo usermod -g lmi my_secret_id
  usermod: user '...' does not exist in /etc/passwd

Although I can't change my primary group permanently,
I can change it temporarily:

  $newgrp lmi
  $id -gn
  lmi

so maybe we should do that in ~/.zshrc .

As for making /home/my_user readable by me only, I could
  $sudo groupadd special_group_for_me_only
  $sudo usermod -a -G special_group_for_me_only
and then Kim couldn't read it, except with sudo.
But I hesitate to do this, because something bad might
happen to my home directory if corporate IT removes my
special group.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]