2

All our users are managed with a central LDAP. When my predecessor in managing the infrastructure created the ldap he decided against creating usergroups (meaning groups of the same name and GID as the user(s UID)) and all users share one primary group "users". This is the same behavior as if you would set the USERGROUPS_ENAB setting in /etc/login.defs to no.

In combination with the global UMASK of 027 all files created (and not modified access rights wise) are readable by all other users. As more and more users are getting shell access to some machines this tends get a problem.

How would you mitigate this problem? Would you create a usergroup for each user and change the default groups to that group or should I change the umask to 077?

The first option would be better on our file-server because there we have folders with SETGID bit set so that groups can exchange files.

What are you doing on your servers?

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
Clemens Bergmann
  • 305
  • 1
  • 3
  • 12

1 Answers1

0

I found two discussions on this topic:

http://comments.gmane.org/gmane.linux.redhat.fedora.general/407367 https://unix.stackexchange.com/questions/156473/reasons-behind-the-default-groups-and-users-on-linux

The conclusion on both is that both variants are valid and which is better depends on your usecase. It seems that our usecase has changed from "only a few LDAP-users on the system which are all mainly equal" to "A lot of LDAP-users on the system which also need to hide files from each other". Therefore I think we have to change our LDAP structure.

Community
  • 1
Clemens Bergmann
  • 305
  • 1
  • 3
  • 12