group permissions and 4.2bsd

[smb at ulysses.UUCP]

I've been trying to figure out how to use the group permission scheme
implemented in 4.1c/4.2 bsd.  For those of you who haven't seen it yet,
each user may be in up to N groups at once (default max is 8), plus an
"accounting group" -- the traditional group listed in /etc/passwd, and
used by setgid programs.  Files are created in the group of the directory
containing them; this means that if, for example, /usr/src is group 'staff',
any new files created in /usr/src will be in group staff, regardless of
the gid of the creator.  The chgrp command (which is setuid) will let you
change the group of any of your files or directories to any group you're
a member of.  Permissions, though, are still affected by umask, and therein
lies the rub.

Suppose my home directory is group 'other', but /usr/src is group 'staff'.
Files that I create in my home directory should be created with a umask of
022 -- since I don't want random folks scribbling on my files -- but anything
I add to /usr/src should be umask 002, since other staff members should be
able to modify those files.  What's really needed, it seems, are per-gid
umasks -- a horrible concept -- or per-directory umasks, similar to Multics'
"initial access control lists".  Both, of course, would require kernel-hacking
which I don't want to do.

The scheme I've tentatively come up with is to assign each user a gid
equal to his/her uid (with the appropriate /etc/group entry), and make the
default umask 002.  Thus, for files not part of a shared project -- say,
one's home directory -- the 002 access means that no one else will be able
to get to them anyway.  But if that user is part of any specialized groups,
and has a directory belonging to that group, files created in it will be
shared.  Comments?  (One objection I've considered and dismissed is that it
makes /etc/group too long.  But its length is (mostly) bounded by /etc/passwd,
and we're willing to live with that.)


		--Steve Bellovin
		(ihnp4,ucbvax,decvax,unc}!ulysses!smb