Date: Sun, 10 Nov 2002 21:44:10 +0000 From: Jez Hancock <jez.hancock@munk.nu> To: FreeBSD ISP List <freebsd-isp@freebsd.org> Subject: Re: per-user groups Message-ID: <20021110214410.GA98103@users.munk.nu> In-Reply-To: <20021105130922.A36056@cthulu.compt.com> References: <20021105130922.A36056@cthulu.compt.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Sorry to jump in on this thread so late, but this is relevant to what I was considering just yesterday. On Tue, Nov 05, 2002 at 01:09:23PM -0500, Klaus Steden wrote: > Can anyone explain to me the benefits of per-user groups? It seems to me that > modern *nix systems, FreeBSD included, create a new group for each user. > > Is there a security benefit (or some other benefit) to be had by this? Why has > it apparently been adopted as a convention by the free *nix flavours? My problem was with stopping one user, call him 'munk', from nosing around in another user's home directory, call him 'joe', whilst also allowing the apache web server to serve files from munk and joe's public_html directories (/home/munk/web and /home/joe/web). When I create the accounts, both munk and joe are assigned to their own unique groups, also called munk and joe. The problem arises when you attempt to stop munk and joe from looking in each other's home dirs by setting the permissions on their home directories recursively as: chmod -R o-rwx /home/munk chmod -R o-rwx /home/joe (ie do not allow 'other' user's or group members to read write or execute in the home dirs, recursively) This is fine if the apache daemon doesn't need access to either of these user's home directories (ie /home/munk/web) - however apache is generally run as user/group www/www by default on freebsd and as such with these permission settings on munk and joe's home dir, apache will not be able to access their public html directories. The solution to this then is to simply add the user 'www' to both the groups 'munk' and 'joe' in /etc/group: <file: /etc/group> munk:*:1023:www munk:*:1024:www </file> so that the www user, as a member of both the joe and munk groups, can easily access the files in /home/munk/web and /home/joe/web as it should be able to. As I see it this is the inherent beauty of assigning each user to their own unique group on a multi-user system - stopping each user from nosing around in other home directories in this way. Probably why it's been adopted on so many Unices as well. Cheers, Jez To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021110214410.GA98103>