Date: Thu, 23 Dec 1999 07:45:55 -0800 (PST) From: David Wolfskill <dhw@whistle.com> To: aunty@comcen.com.au, freebsd-isp@FreeBSD.ORG Subject: Re: individual groups? Message-ID: <199912231545.HAA63912@pau-amma.whistle.com> In-Reply-To: <19991223175408.A35318@comcen.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
>Date: Thu, 23 Dec 1999 17:54:08 +1100
>From: aunty <aunty@comcen.com.au>
>I'm converting almost 6000 users from BSDI to FreeBSD.
>They are all in the same group (100 user) from the BSDI system.
Ummm.... Please see below.
>New users are added daily. Should I rig the adduser.conf so that new
>users all go into the same group like before, or should I let new users
>take individual groups FreeBSD-style? What are the pros and cons?
One of the traditional differences between the BSD & USG approaches to
group membership is that in the BSD world, a given user was a member of
a set of groups (the upper bound of which is defined in NGROUPS, in
/usr/include/sys/param.h), while in the USG world, a user was in a
single group at a time, and used the "newgrp" command to switch from one
to another (which is a built-in in some shells).
So the essential point is that since we're discussing a BSD system, this
isn't quite the binary choice it might first appear to be; a user can be
in multiple groups at the same time.
That, then, brings us to the extent to which it matters which group is
specified in the passwd entry.
First, a disclaimer: things such as /etc/login.conf surprised me when I
started using/administering FreeBSD; much of my BSD experience is based
on SunOS 4.1.1_U1 (and prior systems). So there may well be changes
more recent than I'm aware of, and you'd do well to keep that in mind.
That said, the group mention in the passwd file is used to establish the
default group ownership of files that are created. (This is overridden
if the setgid bit is set in the containing directory at the time of file
creation, and it is overridden in such a case to be the group that owns
the directory in question.)
So, if the environment is such where you have "enough" (a rather
context-sensitive notion, that) file-creation happening in directories
without the setgid bit set, and you want the group-ownership of those
files to be different, depending on various factors, then it would seem
to make sense to set up the default group for a given user to be
dependent on those factors. (Or you might decide to whack the
directories in question, and avoid that hassle... but you might need to
ensure that the directories stay whacked & new ones get created
properly.)
My default approach tends to be to make the passwd entries reflect broad
categories, such as "real people" vs. "automated processes" (and the
latter are fairly often subdivided, since they're rather easier to
control). I'll then use the groups file/NIS map to assign membership to
folks as appropriate.
I'm having a little difficulty coming up with an explanation of why I
think that way makes sense; I hope it's merely an artifact of the cold
I'm getting over (nothing between the ears works quite right (yet?)),
rather than something rather more dire. :-{
Cheers,
david
--
David Wolfskill dhw@whistle.com UNIX System Administrator
voice: (650) 577-7158 pager: (888) 347-0197 FAX: (650) 372-5915
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199912231545.HAA63912>