Date: Wed, 24 Jun 1998 12:53:31 +1000 (EST) From: Peter Jeremy <peter.jeremy@alcatel.com.au> To: freebsd-security@FreeBSD.ORG Subject: Re: adduser chmod permissions Message-ID: <199806240253.MAA17918@gsms01.alcatel.com.au>
next in thread | raw e-mail | index | archive | help
On Tue, 23 Jun 1998 18:53:57 -0500, "Matthew D. Fuller" <fullermd@futuresouth.com> wrote: >And as for 'each user in their own group', well, that defeats some of the >niceness of groups. I have a group user, which all normal users belong >to, and no others. So if someone breaks in as 'daemon' or 'nobody', they >can't get at a lot of stuff, whereas normal users have no problem. Actually, IMHO, your approach defeats much of the usefulness of groups :-). One of the niceties of the BSD model is that users can belong to multiple groups. The BSD security model is based around putting different files & directories in different groups to control who can access them. Eg, all games are in group games and if a user wants to use them, he has to be in the games group. You could similarly restrict access to (eg) X11, source code and development tools. By giving each user his own group, you are allowing each user to define what other users he will share his files with. (Ideally, this needs a tool which allows a non-root user to control the contents of `her' entry in /etc/group). There are a couple of gotcha's with using this approach on a big system: - By default a user can only belong to 16 groups (defined by NGROUPS_MAX in sys/syslimits.h) - NFS V2 (or at least some variants thereof) only allow 8 groups. - /etc/group is limited to 1024 char lines and no more than 200 users per group. Unfortunately, these particular arbitrary limits appear to be spread around in a variety of places (I've found 4 different places where the 200 users per group limit is defined, and there may be others. I haven't even looked for the 1024-char line limit). Peter -- Peter Jeremy (VK2PJ) peter.jeremy@alcatel.com.au Alcatel Australia Limited 41 Mandible St Phone: +61 2 9690 5019 ALEXANDRIA NSW 2015 Fax: +61 2 9690 5247 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199806240253.MAA17918>