From owner-freebsd-security Tue Nov 5 10:35:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E701037B401 for ; Tue, 5 Nov 2002 10:35:50 -0800 (PST) Received: from proxy.centtech.com (moat.centtech.com [207.200.51.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id B4E2943E75 for ; Tue, 5 Nov 2002 10:35:49 -0800 (PST) (envelope-from anderson@centtech.com) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6+Sun/8.11.6) with ESMTP id gA5IZis28939; Tue, 5 Nov 2002 12:35:44 -0600 (CST) Received: (from root@localhost) by sprint.centtech.com (8.11.6+Sun/8.11.6) id gA5IZib00394; Tue, 5 Nov 2002 12:35:44 -0600 (CST) Received: from centtech.com (electron [204.177.173.173]) by sprint.centtech.com (8.11.6+Sun/8.11.6) with ESMTP id gA5IZfx00387; Tue, 5 Nov 2002 12:35:41 -0600 (CST) Message-ID: <3DC80F76.4020909@centtech.com> Date: Tue, 05 Nov 2002 12:35:34 -0600 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Klaus Steden Cc: freebsd-security@freebsd.org Subject: Re: per-user groups References: <20021105130922.A36056@cthulu.compt.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Klaus Steden wrote: > Can anyone explain to me the benefits of per-user groups? It seems to me that > modern *nix systems, FreeBSD included, create a new group for each user. > > Is there a security benefit (or some other benefit) to be had by this? Why has > it apparently been adopted as a convention by the free *nix flavours? My understanding (which is most probably incorrect), is that it is safer to assign a new group per user, then automatically default them to some set group. In other words - people are lazy, and so if that's true (it is), then they are likely to believe that the default is the best choice. If all users default to some standard group, then it is far easier to have accidentally set a file to mode 775 (or some such variant), and have the whole user base have rights to it, than a default group of the user itself - which would be limited. Eric -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology Beware the fury of a patient man. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message