From owner-freebsd-security Tue Jun 23 23:15:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA10549 for freebsd-security-outgoing; Tue, 23 Jun 1998 23:15:02 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.alcatel.com.au (gatekeeper.alcatel.com.au [203.17.66.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA10408 for ; Tue, 23 Jun 1998 23:14:10 -0700 (PDT) (envelope-from peter.jeremy@alcatel.com.au) Received: from mfg1.cim.alcatel.com.au ("port 3551"@[139.188.23.1]) by gatekeeper.alcatel.com.au (PMDF V5.1-7 #U2695) with ESMTP id <01IYM5V4SQJ40044P2@gatekeeper.alcatel.com.au> for freebsd-security@FreeBSD.ORG; Wed, 24 Jun 1998 12:53:34 +1000 Received: from gsms01.alcatel.com.au by cim.alcatel.com.au (PMDF V5.1-10 #U2695) with ESMTP id <01IYM5V2WB6O8WWMNK@cim.alcatel.com.au> for freebsd-security@FreeBSD.ORG; Wed, 24 Jun 1998 12:53:32 +1000 Received: (from jeremyp@localhost) by gsms01.alcatel.com.au (8.8.8/8.7.3) id MAA17918 for freebsd-security@FreeBSD.ORG; Wed, 24 Jun 1998 12:53:31 +1000 (EST) Date: Wed, 24 Jun 1998 12:53:31 +1000 (EST) From: Peter Jeremy Subject: Re: adduser chmod permissions To: freebsd-security@FreeBSD.ORG Message-id: <199806240253.MAA17918@gsms01.alcatel.com.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 23 Jun 1998 18:53:57 -0500, "Matthew D. Fuller" wrote: >And as for 'each user in their own group', well, that defeats some of the >niceness of groups. I have a group user, which all normal users belong >to, and no others. So if someone breaks in as 'daemon' or 'nobody', they >can't get at a lot of stuff, whereas normal users have no problem. Actually, IMHO, your approach defeats much of the usefulness of groups :-). One of the niceties of the BSD model is that users can belong to multiple groups. The BSD security model is based around putting different files & directories in different groups to control who can access them. Eg, all games are in group games and if a user wants to use them, he has to be in the games group. You could similarly restrict access to (eg) X11, source code and development tools. By giving each user his own group, you are allowing each user to define what other users he will share his files with. (Ideally, this needs a tool which allows a non-root user to control the contents of `her' entry in /etc/group). There are a couple of gotcha's with using this approach on a big system: - By default a user can only belong to 16 groups (defined by NGROUPS_MAX in sys/syslimits.h) - NFS V2 (or at least some variants thereof) only allow 8 groups. - /etc/group is limited to 1024 char lines and no more than 200 users per group. Unfortunately, these particular arbitrary limits appear to be spread around in a variety of places (I've found 4 different places where the 200 users per group limit is defined, and there may be others. I haven't even looked for the 1024-char line limit). Peter -- Peter Jeremy (VK2PJ) peter.jeremy@alcatel.com.au Alcatel Australia Limited 41 Mandible St Phone: +61 2 9690 5019 ALEXANDRIA NSW 2015 Fax: +61 2 9690 5247 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message