Red Hat and Fedora distributions of Linux create a separate user group for each user on the system. To someone coming from another distribution, such as SUSE (which puts all users in the group “users” by default), this may seem bizarre — but there’s a good reason for this often-ignored feature.
The User Private Group (UPG) scheme is a very simple administrative policy that makes it easy to create directories for collaboration:
1. Create a new group for the collaborative project:
# groupadd party-planners
2. Add the collaborators to that group:
# gpasswd -a chris party-planners Adding user chris to group party-planners # gpasswd -a diane party-planners Adding user diane to group party-planners
3. Create a directory for collaboration, set the group owner to the new group, and set the SGID bit:
$ mkdir /var/christmas-party $ chgrp party-planners /var/christmas-party $ chmod g+s /tmp/christmas-party $ ls -ld /tmp/christmas-party drwxr-sr-x 2 chris party-planners 4096 Sep 29 09:15 /tmp/christmas-party
Any files created by group members within that directory will automatically be owned by the group, and will be editable by anyone in the group.
What does this have to do with UPG?
UPG sets the default umask to 0002 so that group users can write to files. This would be undesirable and dangerous if everyone belonged to one group (like the “users” group in SUSE) — but when each user is in their own group, the additional group permission is moot until you write into an SGID directory.
Tip: Tired of administrating groups? Use the -A option of gpasswd to delegate group administration to a non-superuser.
Could you elaborate on this technique vs. acls
You can do very similar things with ACLs using the default ACL for a directory. I really like ACLs, but they're not as widely deployed, which leads to a few small differences:
- UPG works on filesystems that support traditional mode semantics but not file attributes.
- It's enabled by default (ACLs require a change in mount options from the installation defaults, for example).
Better to have two tools in the toolbox than one :-)
Better to have two tools in the toolbox than one :-)
Didn't your dad ever tell you to use the right tool for a job? Our toolboxes should be filled with the right tools.
I agree that we need to fill our toolboxes with the right tools. The right tool for Ext3 or ReiserFS is not the right tool for NFS, so it's worthwhile learning both approaches -- UPG works everywhere that ACLs work, plus many places where ACLs will not work. It's also worthwhile knowing why distributions are configured in the way that they are.
I still don't see the real reason why Suse put user into the user group. Doesn't it make that other user can read files in other's home directory?