[Freeipa-users] Different primary group on different machines.

[Simo Sorce]

On Fri, 2012-10-26 at 09:36 +0200, Ondrej Valousek wrote:
> Well, you do not need ACLs for that, just 'chmod g+s <directory>' will
> do.

This is what makes people ask for changing the GID, which is suboptimal
on many accounts.

The reason why FreeIPA creates a User Private Group is that the default
umask prettyt much everywhere allows the primary group access to new
files created, so if the primary group is shared among users it means
that by default users cannot expect privacy. This is not nice.

> But in general, I agree, this is insane requirement as nobody would
> ever think of it in Windows. Not happy w/ a traditional Unix
> permissions? Go for ACLs.

Default ACLs are very, very useful and enormously more powerful than the
sgid bit. I strongly recommend using ACLs for complex default ownership
requirements.

> The only pity is that the current Posix-draft hack widely used on all
> Linuxes is a mess and Rich-acl support is still nowhere in sight :-(

Sorry sir, but technically it is the sgid bit that is a gross hack.
The Posix draft for ACLs never got final approval, but it is pretty
standardized across most OSs, and works fine for any Linux OS that isn;t
on ancient kernels. It is also enabled by default on all file systems
that matter normally.

Rich-ACL, while cool and necessary for NFS ACL and better Windows ACL
compatibility will also be much more complex than Posix ACLs, and does
not add anything special for the default ACL use case.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York