[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Why is the default user group "users"? and: rights and access to /va
Re: Why is the default user group "users"? and: rights and access to /var/mail
Thu, 05 Apr 2018 23:43:33 -0700
Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)
Nils Gillmann <address@hidden> writes:
> can someone tell me why in gnu/system/shadow module you thought
> it would be a good idea to default to "users" as a shared group
> for all accounts created as normal user profiles?
> Reason why I'm asking has a second question attached:
> Why does our opensmtpd-service (and dovecot?) create
> /var/mail world readable, owned by root:root?
Does the opensmtpd-service allow a user to customize in their
<operating-system> declaration the permissions it will use for
/var/mail? If it does, then you should be able to specify precisely the
permissions you want on /var/mail.
> I'm working on integration of mailx (package done, debugging its
> runtime currently), though I think my concern is not exclusive to
> mailx: I want users to be able to read mailboxes inside /var/mail
> by their name (/var/mail/$username) and which are set to be r+w
> only for $username:$username. If you want to list the content of
> the folder you would need to be part of the wheel/sudo group,
> otherwise you are just able to access your mailbox with your
> $username:$username was what I learned as good and secure usage
> for user accounts. Why GuixSD uses $username:users is beyond me.
> I know recently the default chmod of the user $home was changed
> (last year?) so I can no longer read other users homes, but I'm
> still questioning the choice.
> Some explanation on this would be good.
In defense of the current default, my understanding is that in shared
systems, it is not uncommon to put users in a single group (e.g.,
users). I suppose the intent might be to make it easier for the users
to collaborate in such shared systems. So, I didn't find this behavior
very surprising. However, if you want to change the user/group
structure, you ought to be able to do so. I believe you can do that by
customizing the "users" and "groups" fields of your <operating-system>
declaration (see: (guix) operating-system Reference). You even should
to be able to remove the "users" group entirely if you don't want it.
Hope that helps!
Description: PGP signature