Adduser devel - Sep 2011 - Bug#643559: adduser with personal groups should make home directory g+s

Package: adduser
Version: 3.112+nmu2

Personal groups are the default on Debian.  The purpose of personal
groups is to allow users to run with a umask of 002 so that they can
sensibly access shared filespace areas whose access is controlled by
group.

This only works if the shared filespace areas remain owned by the
relevant group.  This is best achieved by setting the g+s bit on all
directories which are part of shared filespace areas.  This both
ensures the right ownership of newly created files and directories,
and propagates the g+s bit to subdirectories.

With personal groups, the user''s home directory is owned by their
personal group so the g+s bit has no effect in that case, other than
(a) to ensure that all the subdirectories they create are also g+s
(b) to ensure that files they create in their filespace become owned
by their personal group regardness of their process''s primary group.

If the user wants to make a shared filespace area, the natural
approach would be:
   chgrp -R shared-group directory

If the directories in question are not g+s, this is not sufficient; a
rune to turn on g+s for the relevant directories is needed.  If the
home directory areas were g+s this would not be necessary.

So in the default (personal groups) configuration, home directories
should be g+s.

Ian.

severity #643559 wishlist
thanks

On Tue, Sep 27, 2011 at 03:27:44PM +0100, Ian Jackson
wrote:
> So in the default (personal groups) configuration, home directories
> should be g+s.
This can be locally configured via the DIR_MODE setting in
adduser.conf. I don''t think it would be a good idea to change the
default.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 31958061
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 31958062

Processing commands for control at bugs.debian.org:
> severity #643559 wishlist
Bug #643559 [adduser] adduser with personal groups should make home directory
g+s
Severity set to ''wishlist'' from ''normal''
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
643559: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=643559
Debian Bug Tracking System
Contact owner at bugs.debian.org with problems

Thanks for your reply.

Marc Haber writes ("Re: Bug#643559: adduser with personal groups should
make home directory g+s"):
> This can be locally configured via the DIR_MODE setting in
> adduser.conf. I don''t think it would be a good idea to change the
> default.
May I ask why not ?  I thought I had provided a clear enough
explanation of the reasoning, and the change is otherwise harmless,
but I''d be happy to go into it further.

Thanks,
Ian.

I wrote:
> May I ask why not ?  I thought I had provided a clear enough
> explanation of the reasoning, and the change is otherwise harmless,
> but I''d be happy to go into it further.
Looking into this further, I found this in adduser.conf:

  # If SETGID_HOME is "yes" home directories for users with their own
  # group the setgid bit will be set. This was the default for
  # versions << 3.13 of adduser. Because it has some bad side effects we
  # no longer do this per default. If you want it nevertheless you can
  # still set it here.
  SETGID_HOME=no

So my first observation is actually that I''m asking for
SETGID_HOME''s
default to be changed to "yes".

The second is that there is this rather fuddish comment about "some
bad side effects".  I did web search to try to find out what those bad
side effects might be, and I found this:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=64806

Those "bad side-effects", if they were ever relevant and important
enough to make personal groups not work properly, have now been fixed.
I have been developing Debian packages on systems with g+s home
directories since around 1993.

Debian''s adduser did the right thing by default from 1997 to 2000.
I''d like it to do the right thing again.

Ian.