[RndTbl] "washing" a fork/exec to force all groups
Gilbert Detillieux
Gilbert.Detillieux at umanitoba.ca
Tue Apr 18 15:45:58 CDT 2023
Adam may have gotten the default group ID wrong, but he is correct in
stating that this is a Linuxism (and a relatively recent one, at that).
I didn't really get the security advantage of this practice at first,
and it's still a bit questionable, but over the years, I've seen so many
users who just didn't understand file permissions, let alone the use of
group ownership and permissions, and would inadvertently give away more
access than they wanted to or should. I've also seen many users who
should have known better, but were probably just too lazy to get it right.
The reason I say "questionable" above, is I've also seen people get the
world permissions wrong as well, so the idea of a default private group
is a partial solution at best. (Education is probably a better
solution, in the long run, but...)
But given the prevalence of Linux, and this now-default group practice,
you know it's just a matter of time before some programmer assumes this
as a universal truism, and does the wrong thing when someone's primary
group is anything else! But until then, Trevor, you're probably safe to
use a different primary group. ;)
Gilbert
On 2023-04-18 9:47 a.m., Kevin McGregor wrote:
> Very minor note: I just created a new user (via useradd) on Solaris
> 11.4.53 and the default group is "staff" (uid=10).
>
> On Tue, Apr 18, 2023 at 8:19 AM Adam Thompson <athompso at athompso.net
> <mailto:athompso at athompso.net>> wrote:
...
> > That's a decent idea. However, I'm always a bit freaked out making a
> > user's primary group something other than their eponymous group. Not
> > sure if that's justified or not, but it gives me the heebie-jeebies
> > like I'm breaking some cardinal rule and K&R will come to my
> house and
> > beat me up.
>
> It's not justified. Each user having their own primary group is a
> Linuxism, and a fairly recent development in UNIX history. On
> Solaris, when you create a new user, IIRC their default/primary
> group is still "usr". Because each user having their own group
> makes the average system much more secure (see "shoot self in foot",
> above), pretty much everyone has adopted it by now.
--
Gilbert Detillieux E-mail: Gilbert.Detillieux at umanitoba.ca
Computer Science Web: http://cs.umanitoba.ca/~gedetil/
University of Manitoba
Winnipeg MB CANADA R3T 2N2
More information about the Roundtable
mailing list