Two different users groups? Users can read eachothers files?

[lcidw]

I asked someone in #gentoo on freenode: How do i add a user? His answer:

[transient]

What the -G does is to specify what groups a user belongs to.
However, a user has one group that is their GID, which in this case is the default 100. The reason the other 2 users arent showing up in the groups file is because you never said for them to be members of that group

[edit]Sorry Ill try and make that post make sense....
A user has an initial group that they belong to. This is their main group, and its what the GID refers to. However, a user can also be a member of other groups as well. Those extra groups are what are listed in the /etc/groups file. You should use the -G option for creating users, as you will probably want them to be in the audio, portage, wheel groups for example.[/edit]

[donjuan]

I don't know what the difference is with the -G option for the first group, but it looks like if you want to add the user to additional groups you need to use it.

He would be correct about the chmod thing. When I want to allow people to view my public_html files at school I have to change the permissions on that directory myself. So just do an extra chmod on that directory.
_________________
Command-line ACCEPT_KEYWORDS is considered harmful, use the package.* files.

The Stage 1 on 3 Install

[justanothergentoofanatic]

UNIX allows users to belong to more than one group. However, one group must be designated as the 'primary' group. The primary gid is stored in /etc/passwd and determines, among other things, the default gid for newly created files (files, unlike users, belong to only one group).

So, if the user belongs to only one group, his primary gid is stored in /etc/passwd, and there is no need for an /etc/groups entry. Unfortunately, each /etc/passwd entry can contain only one gid. If the user belongs to any 'secondary' groups, they need to be entered in /etc/groups.

Placing a 'primary' gid entry into /etc/groups is redundant, since the system already reads the group from /etc/passwd. But it doesn't do any harm.

[dhalsiim]

Problem 2: Maybe if someone explained how permissions worked, you'd understand what happened and why someone on #freenode suggested "chmod 700" or "umask 077".

4 = read
2 = write
1 = execute

The combination of the above gives your files/folders the permission you desire. And if you are a bit creative you might have guessed that umask is the total opposite of chmod! For chmod "7" means give all 3 of r,w,x permissions while for umask it means DO NOT give those permissions. When you set permissions you set them for either (or all 3) of USER, GROUP and OTHERS. Saying "chmod 700" is like "USER has all permissions" while "GROUP" & "OTHERS" have squat. This explains why public_html is in-accessible now. You may leave all other files/folders in your home directory with permissions of "chmod 700" but change them for public_html. Something like "chmod 755" for public_html will be suitable for it.

I know I am not good at explaining things to people but I hope that helped. Problem 1 is beyond me at the moment.

Edit: Ok you guys up there, stop beating me to answering this post T_T

[lcidw]

[dhalsiim]

I just assumed everyone's like me ><; when I first started using linux chmod was intimidating. I always tried to memorize the different combinations of 4+2+1 not knowing the underlying trickerky, let alone even knowing how umask worked. So yeah, they both are kinda like outerspace stuff for me

umask is automatically set for files/folders from settings in /etc/profile. That would be one automatic way? Or if they get shell access, their .login files can be edited to hold that information! With ftpd's, I know that proFTPD has a umask module that allows such permissions to be set on newly uploaded files. Perhaps if you look into vsftpd's documentation you might find something similar?

[lcidw]

Hmmm.. i can try it out.

So, give the files chmod 700 except for the contents of the public_html dir which should be 705?

I just remembered that on the Debian webserver i had before, users automaticly got their own group.. so if i created a user called nike (uid 1034 for example) they would automaticly get a group nike (gid 1034). Then i didn't have to go through all this trouble..

Why doesn't Gentoo do that automaticly? I find it strange that so many people find it normal to put all users in one group called users while it brings serious security issues with it if one didn't pay attention.. and i have the feeling there are a lot of people who didn't.

[dhalsiim]

I am not sure if the middle 0 in 705 affects anything at all but you could give it a shot. Yes the contents of public_html set to that permission should make it work but public_html itself should have the "execute" permission for its contents to be able to be read.

And I never knew users automatically had their own group created on other distros.. that's new info. Good stuff XD

[transient]

The umask is ANDed with the default file creation permissions to create the actual permissions you see.
The default permissions are 777 for directories, and 666 for files.
In the case of a directory, this is ANDed with the default umask's ones compliment (022) to give you the usual permissions of 755.
Although Im referring to the binary AND operation here, because of the way its setup, you can simply subtract the umask from the default permissions to get the actual permissions. No need to mess around with bit ANDing and so on Note that this method doesnt work for all situations, particularly when you are untarring a file
This also means that it is impossible to create a file that is executable. You always need to

[dhalsiim]

The 700 and 705 in the post above yours is for chmod. But your insight on ANDing the bits is very informative. Thank you for sharing it.

[transient]

Ah thanks, I misread the post

[lcidw]

Isn't it a better idea to just give every user on my server it's own group, and remove it from group users? Or could that bring problems with it?

[dhalsiim]

Bahaha.. last post: Sat Feb 12, 2005 12:20 am & latest post: Mon Feb 21, 2005 9:05 pm. I mean numbers turn me on but this is amazing. Feb 12 and Feb 21. Well I personally don't see anything wrong with that. But do you really want to trust a (11 months old) linux user? The thing is .. you might have to change all sorts of permissions left and right.. perhaps if you ask a forum mod or a developer you might get a better answer. I just answered this post to point out the face about the posting dates that's all. Sorry for any disappointment :S

Edit: geez.. I'm the worst typist ><; face = fact

[transient]

[dhalsiim]

It just made me giggle, the fact that the last post by you was on the 12th of this month. And the latest on the 21st. 12:21 .. I don't know, feels funny (awkward someone might say).

[j-m]

[lcidw]