[INSTRM-503] Add per-user groups Created: 03/Oct/18  Updated: 07/Nov/19

Status: Open
Project: Instrument control development
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Normal
Reporter: cloomis Assignee: Kiaina Schubert
Resolution: Unresolved Votes: 0
Labels: subaru-personnel
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The security model for PFS is a common one:

  • All development and installation work is done by individual user accounts
  • All user accounts are also in a common group (pfs)
  • All work is saved in a shared directory (/software)

A time-tested way to make that work smoothly is:

  • Each user has a primary per-user group id.
  • All users are additionally in group pfs
  • Each user's $HOME has that group id, and is 0755, so that ssh works safely.
  • All shared directories (/software and under) are group pfs and g+srwx.

I notice that the LDAP accounts do not have per-user primary groups. Can they be added?

 Comments   
Comment by cloomis [ 03/Dec/18 ]

Bump. Is this possible?

I'll add the main appeal:

  • content written to the pfs group directories (/software/products, etc) are writable by all in the project, but
  • content written to non-fps group directories (/home/, etc) are by default readable but not writable by all in the project.

If you do not have per-user primary groups it is difficult and error-prone to avoid making non-shared files group/world writable.

Generated at Sat Feb 10 16:25:41 JST 2024 using Jira 8.3.4#803005-sha1:1f96e09b3c60279a408a2ae47be3c745f571388b.