private group administration

Lutz Lange llange at redhat.com
Sun Oct 19 09:11:11 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Les Mikesell schrieb:
> Colin Walters wrote:
>>
>>>> <mw_triad at users.sourceforge.net> wrote:
>>>>> If 'chmod g+w file;chgrp foo file' is too much work then there
>>>>> should be
>>>>> a command that can do both.
>>>> Groups are broken.  Use access control lists: "man setfacl"
>>> ACLs inherit the brokenness of groups, e.g. it is not possible to
>>> enforce that
>>> everything within a certain directory is owned by everyone of a group,
>>
>> The point is with ACLs you don't need the files to have a specific
>> ownership (user/group) as long as they have the right ACLs for access.
>>  A good way to do this is to avoid groups entirely and just add the
>> users you want individually.
> 
> This is unmanageable as the people in groups change.  When you are
> designing operating systems you should understand that underlying data
> and work processes may need to survive and be usable for decades as the
> hardware and people change. I don't think anyone working with fedora
> gets that.
> 

This is actually what students tell me as well. Using ACLs file
permissions are quite hard to manage over time. ACLs tend to stay on fs
entries when users get deleted. It is an extra burden on the admin to
search and remove them.

We should find a way to make it easier to maintain ACLs - especially in
case users are removed from the system. I'm sure a clean up script could
be devised for the case of user removal. This would ease the process.

Or does such a script/program exist already?

Cheers
Lutz

- --
Lutz Lange
GLS Instructor
Red Hat GmbH
Hauptstätterstrasse 58
D-70178 Stuttgart - Germany

Tel.    +49 711 96 437 570
Mobile  +49 172 75 285 17
Fax     +49 711 96 437 111
Email:  llange at redhat.com
____________________________________________________________________
Reg. Adresse: Red Hat GmbH, Otto-Hahn-Strasse 20, 85609 Dornach bei Muenchen
Handelsregister: Amtsgericht Muenchen HRB 153243
Geschaeftsfuehrer: Brendan Lane, Charlie Peters, Michael Cunningham,
Werner Knoblich
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD4DBQFI+vms15TuH1mPaRURAn7zAKCBwHqPprQOGJWc2xJRJhrIqMqLuwCWMylQ
19l0a/9fYRp8bFBpobbR+A==
=F5JM
-----END PGP SIGNATURE-----

More information about the fedora-devel-list mailing list