[Freeipa-users] ipausers default group

[Simo Sorce]

On Mon, 2008-11-17 at 20:03 -0430, Robert Marcano wrote:
> Is a good idea that "ipausers" group be the default primary group for
> all users? i see everyday applications that create temporary files that
> does not follows the 0600 file permissions.
> 
> All RedHat/Fedora tools create a user and a group by default, unless you
> request a different primary group.
> 
> Just one example:
> 
> http://java.sun.com/j2se/1.3/docs/api/java/io/File.html#createTempFile(java.lang.String,%20java.lang.String)
> 
> the Java method to generate temporary files does not create them with
> permissions 0600 (there is no way to change that in plain Java).


You should be able to change the default umask for users so that groups
do not get permissions like others.
The umask can be changed from 0002 to 0022 so that group sdo not get
write permissions by default.
If you want by default no readability to anyone but the user y9ou can
also set it to 0077

The default umask can be changed in /etc/bashrc on Fedora and similar
files on other distributions, or even just per-user in ~/.bashrc

> Creating a group by hand for each user is repetitive and there is no way
> to assign them easily, you need to copy the GID and copy it to the user
> by hand

Creating a group for each user creates an unnecessary proliferation of
groups that clogs the group interface with mostly useless groups.
Managing user/groups makes it more complex to create delete and rename
existing users, as the relative groups would need to follow, and
exceptions would need to be handled.

In case you find the you nonetheless want to create a group for each
user you can use CLI tools and some scripts to make it simpler for you
to create users the way you prefer.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York