lmi
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [lmi] Multiuser *nix configuration


From: Vadim Zeitlin
Subject: Re: [lmi] Multiuser *nix configuration
Date: Fri, 1 May 2020 18:31:45 +0200

On Fri, 1 May 2020 16:09:31 +0000 Greg Chicares <address@hidden> wrote:

GC> Vadim--Is there any reason not to do the following on our
GC> linux server?
GC>  - umask 002

 Yes, this seems reasonable, especially if each user still has their own
group (instead of just being part of some "users" group, but I think all
Linux distributions now create per-user group by default), and so files
under their home remain only writable by them and not by everybody.

GC>  - set GID bit on all directories we create

 This is definitely perfectly normal for the directories that are supposed
to contain the files you collaborate on. E.g. it is the case for the shared
git repositories.

GC> We can't create users. But I have been able to create an "lmi"
GC> group and add us both to it.

 I didn't even think about it, but we're indeed very lucky that you can
create groups.

GC> umask: Corporate policy is to use 077, presumably to gain some
GC> perceived "security" benefit. I've been able to override that.
GC> I don't see any legitimate reason not to make it 002.

 The potential benefit of using 7 as the last digit is that if some other
account, not belonging to lmi group, is compromised, it wouldn't be able to
access any proprietary files located in the directories belonging to this
group. AFAICS using umask 007 wouldn't be any more restrictive for you than
using 002, so perhaps you could do this to be as consistent as possible
with the official policy.

 If you don't, setting 2770 mode on the shared directories should still
prevent users not making part of the group from accessing the files and so
could be worth doing.

GC> setgid: I understand that setting the GID bit on regular files
GC> is a potential security concern, but am I correct in believing
GC> that it's purely harmless on directories?

 As long as it's done intentionally on the directories containing shared
files, I don't see anything wrong with it. I do think it's better to
explicitly opt-in into using it for just these specific directories, i.e. I
prefer Linux way to BSD one, but I completely agree that there is nothing
wrong with using it in your scenario.

 Regards,
VZ

Attachment: pgp8Gpxt7N3kl.pgp
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]