[Gllug] File permissions and umask on Ubuntu (and I think probably, Debian)

John Winters john at sinodun.org.uk
Sun Jan 7 17:07:26 UTC 2007 

Anthony Newman wrote:
> John Winters wrote:
>> If you know a way of achieving this kind of file sharing without 
>> setting umasks to 0002 then I'd love to hear it.  Asking users to keep 
>> changing their umasks depending on what kind of work they're doing is 
>> *not* feasible.
> 
> It appears that your only problem is non-propagation of group writable 
> bits to subdirectories

and the files therein

 > of your sharable root because of the default (and
> clearly sensible) system umask.

It's only a sensible one if you don't have separate groups for each user.

Yes, the traditional UNIX approach is to have all users belonging to a 
group called "users" and a umask of 0022.  The alternative approach of 
group-per-user and a umask of 0002 has also been around for a long time 
too now, and it seems to offer more functionality with no drawbacks, so 
it too is sensible.

What isn't sensible is to have the half-and-half approach currently in 
Debian.  It appears that this has happened pretty much by accident. 
When per-user groups were introduced into Debian, the relevant settings 
were handled automatically.  On a system with per-user groups (the 
default) you got one group per user and a umask of 0002.  If you changed 
the setting to remove per-user groups then all users went in "users" and 
the umask was set to 0022.

During the migration to handling these settings with PAM, it appears 
that some of the functionality was lost, so by default you now get an 
installation which uses half one system and half the other.  This isn't 
sensible whichever way you look at it.

> A disgusting but quite feasible hack is to periodically run a 
> `/usr/bin/find /path/to/shared -type d -exec chmod g+w {} \;` to enable 
> group members other than the file creator to alter the directory and its 
> contents.

And a similar one to fix the ordinary files.  You're quite right - it is 
disgusting.

> Anything else would seem to be a bit of a corruption of the 
> whole UNIX permissions philosophy :)

Not at all.  It's a perfectly sensible use of the UNIX permissions 
philosophy.  The only odd thing is how it took so long to be thought of.

If one goes for the older approach of just one "users" group and a umask 
of 0022, how do you manage shared project directories without having 
users fiddling (or rather forgetting to fiddle) with their umasks all 
the time?

John
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list