Re: [suse-security] User private groups?

[Christian Boltz <suse-security@xxxxxxxxx>]

Hello,

Am Montag, 9. Januar 2006 12:55 schrieb Alex Hargrove:
[...]
>     Suppose you have a directory structure which is shared by a group
> of users. There, for the directories, the group-s-bit is set, making
> sure that anything created there belongs to the same group as the
> directory wherein it's created. Now if something is created there,
> you want the group-write-bit set, so the rest of the group can change
> it. So you set umask to something very open, giving automatical write
> access to the group.
>
>     So far, everything is fine. But, if you are lazy, you leave that
> umask active even when working in other directories. 

If you are really lazy *and* want to have a secure solution,
- don't change you umask
- use a default ACL for the directory that sets group write permissions
      setfacl -d -m mask:007 /path/to/directory
  is all you need. [1]


Regards,

Christian Boltz

[1] Well, if subdirectories already exist, you have to call setfacl on 
    them too.
-- 
http://3d-crew.com
"Die Tastatur finden Sie, indem Sie das Kabel verfolgen, das mit einem
 5poligen DIN-Stecker an der Rueckseite Ihres Rechners angebracht
 ist."  aus der CrossPoint Hilfe

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here