Red Hat Enterprise Linux uses a user private group
(UPG) scheme, which makes UNIX groups easier to
manage.
A UPG is created whenever a new user is added to the system. A UPG has
the same name as the user for which it was created and that user is the
only member of the UPG.
UPGs make it safe to set default permissions for a newly created file
or directory which allow both the user and that user's
group to make modifications to the file or directory.
The setting which determines what permissions are applied to a newly
created file or directory is called a umask and
is configured in the /etc/bashrc file.
Traditionally on UNIX systems, the umask is set to
022, which allows only the user who created the file
or directory to make modifications. Under this scheme, all other users,
including members of the creator's group, are not
allowed to make any modifications. However, under the UPG scheme, this
"group protection" is not necessary since every user has their own
private group.
Many IT organizations like to create a group for each major project
and then assign people to the group if they need to access that
project's files. Using this traditional scheme, managing files has
been difficult; when someone creates a file, it is associated
with the primary group to which they belong. When a single person
works on multiple projects, it is difficult to associate the right
files with the right group. Using the UPG scheme, however, groups are
automatically assigned to files created within a directory with the
setgid bit set. The setgid bit makes managing
group projects that share a common directory very simple because any
files a user creates within the directory are owned by the group which
owns the directory.
Lets say, for example, that a group of people work on files in the
/usr/lib/emacs/site-lisp/ directory. Some people
are trusted to modify the directory, but certainly not everyone is
trusted. First create an emacs group,
as in the following command:
To associate the contents of the directory with the
emacs group, type:
chown -R root.emacs /usr/lib/emacs/site-lisp |
Now, it is possible to add the proper users to the group with the
gpasswd command:
/usr/bin/gpasswd -a <username> emacs |
To allow users to create files within the directory, use the
following command:
chmod 775 /usr/lib/emacs/site-lisp |
When a user creates a new file, it is assigned the group of the user's
default private group. Next, set the setgid bit, which assigns
everything created in the directory the same group permission as the
directory itself (emacs). Use the
following command:
chmod 2775 /usr/lib/emacs/site-lisp |
At this point, because each user's default umask is 002, all members
of the emacs group can create and
edit files in the /usr/lib/emacs/site-lisp/
directory without the administrator having to change file permissions
every time users write new files.