On Tue, 2005-05-24 at 09:25, Peter Farrow wrote: > This line > " It makes 0700 the same as 0770. " > > in the context of one group per user makes perfect sense to me...... > > What John is getting at is that if one user is assigned their own > individual group, then the concept of groups for security granularity is > negated which essentially removes the middle part of the unix > permissions syntax as the group and user are one and the same, so 0700 > is 0770, and in this instance your comment "0700 is and will always be > different from 0770" does not apply.... you are right in that 0700 is > different to 0770 but the security upshot is the same if each user has > their own unique group and in that scenario there is no functional > difference between 0700 and 0770. > > This is the essence of John's statement which I think you may have > missed.... But everyone seems to be missing the real point, which is that if everyone is in a unique group, you can make everything owned by the user also group accessible by default without changing anything. Then when you do want someone to have access, all you have to do is add them to your group. In the pre-RedHat world you also had to go change the group and modes of all your files and change your umask after you realized that sharing is useful. And, of course if you restored anything from backups, it would come back wrong. None of this changes what you can do with other groups. -- Les Mikesell les at futuresource.com