chmod broken?

[Mike McCarty]

Bill Rees wrote:

> Markku Kolkka wrote:
>
>> Bill Rees kirjoitti viestissään (lähetysaika torstai, 30. kesäkuuta 
>> 2005 08:26):
>>  
>>
>>> Whoever
>>> owns the file can chmod the file but if you're just a member
>>> of the group you get the permission denied messages.
>>>     
>>
>>
>> This is exactly how chmod is supposed to work according to the Single 
>> Unix Specification:
>> "Only a process whose effective user ID matches the user ID of the 
>> file, or a process with the appropriate privileges, shall be 
>> permitted to change the file mode bits of a file."
>> http://www.opengroup.org/onlinepubs/009695399/utilities/chmod.html
>>
>>   
>
> Then what's the point of groups?
>
> bill
> p.s. sorry to waste your time on this.
>
The purpose of groups is to allow a group of users to have
a common pool of files they can access. But note that the
words "access" and "control" are not the same. Control
is still the owner's responsibility.

For example, I have a computer here with Linux on it. I
am a contractor for a company. I have created a user on
my machine for one of the employees of that company, and
added his user to my group. I then have some files in my
directory which I have marked for group access, so he can
ftp to my machine and get them. Also, all his files have
rwx for group as default. This gives me access to all the
files he creates on my machine, unless he takes steps to
protect them from me. Of course, since I have the root
password, I can do whatever I want, but good UNIX hygeine
dictates that one use root privilege only sparingly, and
when needed.

So having a group allows me to share files back and forth
with this guy, without having to continually su to root
privilege.

It's a convenience.

And on a true multi-user system, it's (almost) mandatory.
One can create a UNIX group for each development team
of employees, say, and everyone in the group can share
the files they co-develop and work on. But members of
other development teams won't have write access, say.

It's sort of a poor-man's ACL (Access Control List).
Not nearly as flexible as ACL, but much easier to
manage, and often enough to get the job done.

A reason for not allowing someone with access also to
control a file is that he could wrest the file from
the owner.

Mike

-- 
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!