[RndTbl] "washing" a fork/exec to force all groups

Gilbert Detillieux Gilbert.Detillieux at umanitoba.ca
Tue Apr 18 15:45:58 CDT 2023 

Adam may have gotten the default group ID wrong, but he is correct in 
stating that this is a Linuxism (and a relatively recent one, at that).

I didn't really get the security advantage of this practice at first, 
and it's still a bit questionable, but over the years, I've seen so many 
users who just didn't understand file permissions, let alone the use of 
group ownership and permissions, and would inadvertently give away more 
access than they wanted to or should.  I've also seen many users who 
should have known better, but were probably just too lazy to get it right.

The reason I say "questionable" above, is I've also seen people get the 
world permissions wrong as well, so the idea of a default private group 
is a partial solution at best.  (Education is probably a better 
solution, in the long run, but...)

But given the prevalence of Linux, and this now-default group practice, 
you know it's just a matter of time before some programmer assumes this 
as a universal truism, and does the wrong thing when someone's primary 
group is anything else!  But until then, Trevor, you're probably safe to 
use a different primary group. ;)

Gilbert

On 2023-04-18 9:47 a.m., Kevin McGregor wrote:
> Very minor note: I just created a new user (via useradd) on Solaris 
> 11.4.53 and the default group is "staff" (uid=10).
> 
> On Tue, Apr 18, 2023 at 8:19 AM Adam Thompson <athompso at athompso.net 
> <mailto:athompso at athompso.net>> wrote:
...
>      > That's a decent idea.  However, I'm always a bit freaked out making a
>      > user's primary group something other than their eponymous group.  Not
>      > sure if that's justified or not, but it gives me the heebie-jeebies
>      > like I'm breaking some cardinal rule and K&R will come to my
>     house and
>      > beat me up.
> 
>     It's not justified.  Each user having their own primary group is a
>     Linuxism, and a fairly recent development in UNIX history.  On
>     Solaris, when you create a new user, IIRC their default/primary
>     group is still "usr".  Because each user having their own group
>     makes the average system much more secure (see "shoot self in foot",
>     above), pretty much everyone has adopted it by now.

-- 
Gilbert Detillieux          E-mail: Gilbert.Detillieux at umanitoba.ca
Computer Science            Web:    http://cs.umanitoba.ca/~gedetil/
University of Manitoba
Winnipeg MB CANADA  R3T 2N2

More information about the Roundtable mailing list