Peter Farrow wrote: > This line > " It makes 0700 the same as 0770. " > > in the context of one group per user makes perfect sense to me...... > > What John is getting at is that if one user is assigned their own > individual group, then the concept of groups for security granularity is > negated which essentially removes the middle part of the unix > permissions syntax as the group and user are one and the same, so 0700 > is 0770, and in this instance your comment "0700 is and will always be > different from 0770" does not apply.... you are right in that 0700 is > different to 0770 but the security upshot is the same if each user has > their own unique group and in that scenario there is no functional > difference between 0700 and 0770. > > This is the essence of John's statement which I think you may have > missed.... > No, you have missed the point of what each user having their own group brings to the table for 0700 and 0770 This allows usera to give userb but no others (other than root of course) full permissions on files that usera wants to share with userb (0770). How else can usera do this if not via usera's group permissions? At the same time, usera can limit what userb has access to. userb cannot access files that are user and group owned by usera but where usera does not give any permissions at all to members of group usera (0700)