Why is 'users' is the default group for new users in openSUSE?

JorgePadron · September 4, 2011, 4:58pm

I am new to openSUSE. In other Linux distros I’ve used, new users are assigned to their own group (i.e. user ‘joe’, group ‘joe’) by default. To my surprise, when I create new users with my openSUSE 11.4, they are all assigned to the ‘users’ shared group by default.

To test this, I created a new user called ‘friends’. From my terminal, I can see how the new user files look like:

joe@linux:~> ls -l /home/friends/
total 40
drwxr-xr-x 2 friends users 4096 Sep 3 11:37 bin
drwxr-xr-x 2 friends users 4096 Sep 3 11:38 Desktop
drwxr-xr-x 2 friends users 4096 Sep 3 11:38 Documents
drwxr-xr-x 2 friends users 4096 Sep 3 11:38 Downloads
drwxr-xr-x 2 friends users 4096 Sep 3 11:38 Music
drwxr-xr-x 2 friends users 4096 Sep 3 11:38 Pictures
drwxr-xr-x 2 friends users 4096 Sep 3 11:38 Public
drwxr-xr-x 2 friends users 4096 Sep 3 11:37 public_html
drwxr-xr-x 2 friends users 4096 Sep 3 11:38 Templates
drwxr-xr-x 2 friends users 4096 Sep 3 11:38 Videos

Does this mean that by default, while I am logged is as user ‘joe’, I will be able to see and open other users’ home files? The scary thing is that I went ahead and logged in as user ‘friends’ and I was able to access all my personal files in /home/joe. Does this mean that the default openSUSE security allows for all users to share and have access to each others home files?

hcvv · September 4, 2011, 6:24pm

Why not?

Distros differ. When they did it all the same, there would be but one distro.
The whole idea of groups would be futile when every user would have his own group.

If other users (in the same group or not) can have access (of any of the read/write/execute category) depends on how that user manages his access bits. A user is responsable himself. You can only help him in providing a more strict umask to him by default. Or he can do that himself. And he can (re)set all of the access bit of his own files himself (chmod or file manager).

It is only a default in both csses and you, as system manager, should implement a policy on which users should go into which groups (finance department and sales department and …).

knurpht · September 4, 2011, 8:29pm

No, you’re not. You haven’t tried the Documents folder…

JorgePadron · September 4, 2011, 8:38pm

Henk, clearly each distro is able to implement their own defaults. Just look at the decision Ubuntu made on 11.04 to switch to the UNITY GUI and how their established user base have been abandoning ship by the thousands.

What caught my attention, as a long time sysadmin, is that this distro’s defaults allows for shared home user folders. The other operating systems and Linux distros I’ve used always create private home folders by default. I fully understand that this is merely a default setting, and that the sysadmin may change it at will, but I’m still puzzled as to why would anybody want shared home folders by default. I would think that non-shared folders, for instance each user in his own user group (i.e. user ‘joe’, group ‘joe’), like it is done in the other Linux distros, would be a more sensible and a more Unix-like secure ‘default’.

JP

hcvv · September 4, 2011, 8:59pm

It wouldn’t help much because it seems that the default umask on default created users in openSUSE seems to be *022. *This means that files created by the user (and not protected by him) are as readable by everybody as by his group fellows.

When you think these defaults of he defaults should be different (they are in /etc/default/useradd), for which you have of course valid arguments, file a request at https://features.opensuse.org/

But it might be easier to change *etc/default/useradd *yourself.

nrickert · September 4, 2011, 9:08pm

Personally, I like it the way that it is.

Unix came into existence as a system that encouraged sharing. I want all of my files to be readable by other users, with the exceptions of incoming mail and of files/directories where I explicitly use “chmod” to make them private.

knurpht · September 4, 2011, 9:08pm

When taking a closer look at the screens in Yast’s usermanagement, you’ll see that you can override the default “755” permissions of a user’s homedir. Set them to “700” and you are where you want to be.

hcvv · September 4, 2011, 9:28pm

I also guess (not sure, never tried), that when you change the access bits in /etc/skel, that useradd and YaST will follow that and create likewise.

JorgePadron · September 4, 2011, 10:11pm

Thank you all for your input and ideas!

JP

ken_yap · September 4, 2011, 11:25pm

You have just encountered one of two schools of thought on the default group of users. Remember though that even if joe has his own group joe, he usually doesn’t have any permission to add people to his group and needs an admin to do this for him, which makes it a little less useful.

please_try_again · September 4, 2011, 11:57pm

Absolutely. Just pay attention that all files and directories you put in /etc/skel belong to root:root.

please_try_again · September 5, 2011, 12:49am

OpenSUSE’s useradd is actually closer to Unix than the one of the other Linux distros.
/etc/login.defs in openSUSE doesn’t recognize USERGROUPS_ENAB - unlike in most other distros, which provide the option -N --no-user-group in useradd to overwrite the default behavior.

eng-int · September 5, 2011, 1:31am

In the past (I cannot remember how long ago, probably pre 9.1) the SuSE installation process used to give a choice o umask settings. I think 027 and 022. For shared “personal” machines you could create “/etc/profile.local” with the entry “umask 077”. For workplace machines where all data belongs to the organisation, then I use “umask 027”; access restrictions are enabled by assigning users to appropriate groups, and making their primary/default group the most restrictive (highest authority).

DenverD · September 5, 2011, 9:12am

On 09/04/2011 08:46 PM, JorgePadron wrote:
>
> like it is done in the other Linux distros, would be a more sensible and a more Unix-like secure
> ‘default’.

Big Picture:

think about where we are in the openSUSE - SUSE Linux universe…

that is, when you get right down to it openSUSE is the ‘testing area’
for a code base and developer organization which eventually produces
commercial products named SUSE Linux Enterprise Server (SLES) and SUSE
Linux Enterprise Desktop (SLED)…(and some other stuff, see
http://www.suse.com/products/)

in that commercial environment the IT department’s administrators will
be herding around a bunch of back office servers (SLES) and the road
warriors, suits and office folks will all be using SLED on their
personal machines at their desks, or on the road…and, in most cases
while the system is multi-user capable, each machine will usually have
ONE user, and the machine is protected by one users password…so, the
“Unix like” default which exists on all the other distros might not be
what needs to be well tested here…

anyway, since SLED is a commercial product intended for eventual use on
a company owned and maintained machine there is really no such thing as
“personal files” which another employee (aka: the company) can’t get to…

so, imo that is the default for the heavily desktop centric distribution
named openSUSE … and, why not?

btw: the more “Unix like” you mention was and is still alive in actual
multi-user SLES environments where many front office users hook into the
back-office/big-iron via terminal programs…and anything they are
allowed to create or change on the multi-user accessible machine may or
may not be accessed by others…according to the permissions set up on
the servers by the system admins (just like the old dayz)…

finally: individuals using openSUSE on their personal machines are
expected to perform “normal” administrator duties, which includes
setting permissions as they need to be in the system in use.

ymmv

–
DD
openSUSE®, the “German Automobiles” of operating systems

tk83 · September 5, 2011, 10:02am

Note that the correct way to change the umask value is using PAM, editing /etc/profile, /etc/login.defs and so on is deprecated.

See: SDB:Set UMASK - openSUSE

eng-int · September 5, 2011, 11:30am

Thank you tk83; I should be using

~:# pam-config -a --umask-umask=027

In mitigation I can only plead that I too am feeling old and deprecated.
Configuration via /etc text files is a hard habit to break.

JorgePadron · September 26, 2011, 4:21am

How about using Yast to change the umask for home directories under the ‘Defaults for New Users’ tab?

tk83 · September 26, 2011, 10:21am

No, that’s not the same thing. I think it’s a bug in YAST that the home dir permissions mask for new users setting is named so confusingly.

Anyway have a look at the article in the wiki, it explains it all: SDB:Set UMASK - openSUSE

kerke · September 26, 2011, 8:21pm

So, if we use openSUSE in an office setting, on shared staff desktop PCs, and considering that the default settings when creating new user accounts on openSUSE is for everybody to have access to each other’s home directory files, how do we lock access to individual /home/… users’ directories to behave the same way as Windows 7 or OSX, where users only have access to their own home folders?

knurpht · September 26, 2011, 8:33pm

Welcome on the forums !!!

I’d do that by changing the default for new users before creating one, i.e. set the default for new users to ‘700’, which means only the user himer self can access hesh folders.