Default group?


#1

I’ve got a handful of FTP/shell users associated with my dreamhost account. All but one of them have the same default group (pg105833). One, though, has a different default group (pg102204).

I haven’t changed any default directory permissions, owners or group owners.

A consequence of this is that the users in pg105833 with shell access can read (but not change) files in each others’ home directories. (i.e. user1 can login, and cd to /home/user2 and read files there)

The pg102204 user, though, has no access to the others’ directories (just as it has no access to other dreamhost accounts directories on the shared server, unless the default permissions have been changed).

I’ve decided I like this “partitioning” of users in some cases, but I have no idea what I did to get that one user into a different default group.

Anyone else with experiences that can shed any light here or instructions for how to implement “create a new default group” when I create a new ftp/user and its home directory? [Was that an option that disappeared at some point? I just don’t see it now, and the one odd account was created earlier this fall, but wasn’t the last account I created.]

Thanks.


#2

Thanks.

Since the original post, I’ve done some additional research, and think having an account with users in two different default groups was an anomaly of some sort. There’s a suggestion open that appears to be “allow setting the default group when creating a user” and I’ve voted for that.

Related comments:

From the WIKI
http://wiki.dreamhost.com/index.php/Unix_File_Permissions
there is a note about the SetGID bit on directories - e.g.

chgrp othergroup somedir
chmod 2771 somedir

that will cause the files created in “somedir” to be in the group “othergroup” not (as that text on the groups page implies) in the default group. So, you’re right, the shell is required to change the group, but it can be done on a directory so that files later created in that directory (via FTP, say) inherit that group.

That helps some, but, in general, as other threads have pointed out, since

o it’s still a shared server
o the web server needs access to the files and
o UNIX file permissions aren’t particularly fine grained,

there doesn’t seem to be a foolproof way to protect files from other shell users on the system. The best I can come up with at the moment is to use a nonobvious name for the top level directory of the web server, so even if someone has shell access and the name of, say, a PHP file which has the name of a file where passwords are stored, they’d have difficulty finding the first file without read access on the directories above it.

Fingers crossed…