https://pfspipe.ipmu.jp/jira This file is an XML representation of an issue en-us 8.3.4 803005 13-09-2019 https://pfspipe.ipmu.jp/jira/browse/INSTRM-503 Instrument control development <p>The security model for PFS is a common one:</p> <ul class="alternate" type="square"> <li>All development and installation work is done by individual user accounts</li> <li>All user accounts are also in a common group (<tt>pfs</tt>)</li> <li>All work is saved in a shared directory (<tt>/software</tt>)</li> </ul> <p>A time-tested way to make that work smoothly is:</p> <ul class="alternate" type="square"> <li>Each user has a primary per-user group id.</li> <li>All users are additionally in group <tt>pfs</tt></li> <li>Each user's $HOME has that group id, and is 0755, so that ssh works safely.</li> <li>All shared directories (<tt>/software</tt> and under) are group <tt>pfs</tt> and <tt>g+srwx</tt>.</li> </ul> <p>I notice that the LDAP accounts do not have per-user primary groups. Can they be added?</p> INSTRM-503

Add per-user groups

Task Normal Open Unresolved Kiaina Schubert cloomis subaru-personnel Tue, 2 Oct 2018 16:56:43 +0000 Thu, 7 Nov 2019 01:20:36 +0000 0 1 <p>Bump. Is this possible?</p> <p>I'll add the main appeal:</p> <ul class="alternate" type="square"> <li>content written to the pfs group directories (<tt>/software/products</tt>, etc) are <em>writable</em> by all in the project, but</li> <li>content written to non-fps group directories (<tt>/home/</tt>, etc) are by default <em>readable</em> but not <em>writable</em> by all in the project.</li> </ul> <p>If you do not have per-user primary groups it is difficult and error-prone to avoid making non-shared files group/world writable.</p> Development Rank 0|s00168: