Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Could use some feedback. Was wondering what people's thoughts are setting up security more based off Groups in Linux. aka umask 707
I understand it wouldn't be "as secure" as file owner based but having files/folders default only being group accessible, then controlling access based on the group instead?
It is common to have files set so that both owner and group can access (007) but not common to try to prevent the owner from accessing. You'd have the owner in the same group as all the other users.
For more fine grained control you could use ACLs instead.
The idea is they would need to be in the group to have access. So if there not, then they wouldn't. It would put you on as the sort of default "owner" of it, but permissions would be via the group.
If you take them out of the group but give them 007 then they still would have access to the file/folder via the owner permission.
If the owner doesn't have permission for the file, then it doesn't matter what group(s) the owner is in, access to the file will be denied.
User (owner) permissions take precedence over group permissions. So, with umask 707, assuming directory permissions allow, users would be able to create files/directories, but then they couldn't access them because as the owner, they don't have permission.
For example, here's what happens when you create a file with umask 707:
Code:
$ umask 707
$ ls file
ls: cannot access file: No such file or directory
$ echo "this is a test" >file
$ ls -l file
----rw----. 1 sgrlscz sgrlscz 15 Jun 19 08:33 file
$ cat file
cat: file: Permission denied
$ echo "this is another test" >>file
bash: file: Permission denied
As you can see, I can create the file (because the directory allows me to), but I can't read it or write to again.
Good point, although, interesting behavior as you are in the group that has access.
Was curious is that configurable to the group first, then owner? Guessing not.
No. It's the defined behaviour. First match determines access (i.e. an 'if..else if..else').
If you are the owner, your access is defined by the user permission only. If you're not the owner, then if you're in the group, your permission will be determined by group access only. Finally, if you are not the owner or in the group, your access is determined by the other permission.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.