From owner-freebsd-isp Sun Nov 10 13:42:33 2002 Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 52EB937B401 for ; Sun, 10 Nov 2002 13:42:31 -0800 (PST) Received: from users.munk.nu (213-152-51-194.dsl.eclipse.net.uk [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id E803F43E42 for ; Sun, 10 Nov 2002 13:42:29 -0800 (PST) (envelope-from munk@users.munk.nu) Received: from users.munk.nu (localhost [127.0.0.1]) by users.munk.nu (8.12.5/8.12.3) with ESMTP id gAALiB4g098129 for ; Sun, 10 Nov 2002 21:44:11 GMT (envelope-from munk@users.munk.nu) Received: (from munk@localhost) by users.munk.nu (8.12.5/8.12.3/Submit) id gAALiACE098128 for freebsd-isp@freebsd.org; Sun, 10 Nov 2002 21:44:10 GMT Date: Sun, 10 Nov 2002 21:44:10 +0000 From: Jez Hancock To: FreeBSD ISP List Subject: Re: per-user groups Message-ID: <20021110214410.GA98103@users.munk.nu> Mail-Followup-To: FreeBSD ISP List References: <20021105130922.A36056@cthulu.compt.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021105130922.A36056@cthulu.compt.com> User-Agent: Mutt/1.4i Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sorry to jump in on this thread so late, but this is relevant to what I was considering just yesterday. On Tue, Nov 05, 2002 at 01:09:23PM -0500, Klaus Steden wrote: > Can anyone explain to me the benefits of per-user groups? It seems to me that > modern *nix systems, FreeBSD included, create a new group for each user. > > Is there a security benefit (or some other benefit) to be had by this? Why has > it apparently been adopted as a convention by the free *nix flavours? My problem was with stopping one user, call him 'munk', from nosing around in another user's home directory, call him 'joe', whilst also allowing the apache web server to serve files from munk and joe's public_html directories (/home/munk/web and /home/joe/web). When I create the accounts, both munk and joe are assigned to their own unique groups, also called munk and joe. The problem arises when you attempt to stop munk and joe from looking in each other's home dirs by setting the permissions on their home directories recursively as: chmod -R o-rwx /home/munk chmod -R o-rwx /home/joe (ie do not allow 'other' user's or group members to read write or execute in the home dirs, recursively) This is fine if the apache daemon doesn't need access to either of these user's home directories (ie /home/munk/web) - however apache is generally run as user/group www/www by default on freebsd and as such with these permission settings on munk and joe's home dir, apache will not be able to access their public html directories. The solution to this then is to simply add the user 'www' to both the groups 'munk' and 'joe' in /etc/group: munk:*:1023:www munk:*:1024:www so that the www user, as a member of both the joe and munk groups, can easily access the files in /home/munk/web and /home/joe/web as it should be able to. As I see it this is the inherent beauty of assigning each user to their own unique group on a multi-user system - stopping each user from nosing around in other home directories in this way. Probably why it's been adopted on so many Unices as well. Cheers, Jez To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message