How to interpret group permission?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












My current understanding is when a user A creates a file F, this user becomes the file owner, and can also set a permission for whatever group this user would end up being in.



So when user A is in group G, every single member of G would have the permission user A initially set up for file F. Same goes for group G1, G2..... of which A is a member.



But A could not possibly foresee who will be in the same group he or she would be in also, and what kind of group he would be placed into, a predetermined permission seems risky, even though it can be changed. so my understanding seems very naive.



Really appreciate anyone's help.










share|improve this question





















  • This is where you have to trust your system's administrators to manage the groups correctly. Unfortunately, I've seen cases, especially when joined to Active Directory, where a single group contains every user and this is the default group. Usually this happens when Windows admins are designing AD and Linux admin have to live with the results.
    – Doug O'Neal
    Aug 11 at 18:11














up vote
0
down vote

favorite












My current understanding is when a user A creates a file F, this user becomes the file owner, and can also set a permission for whatever group this user would end up being in.



So when user A is in group G, every single member of G would have the permission user A initially set up for file F. Same goes for group G1, G2..... of which A is a member.



But A could not possibly foresee who will be in the same group he or she would be in also, and what kind of group he would be placed into, a predetermined permission seems risky, even though it can be changed. so my understanding seems very naive.



Really appreciate anyone's help.










share|improve this question





















  • This is where you have to trust your system's administrators to manage the groups correctly. Unfortunately, I've seen cases, especially when joined to Active Directory, where a single group contains every user and this is the default group. Usually this happens when Windows admins are designing AD and Linux admin have to live with the results.
    – Doug O'Neal
    Aug 11 at 18:11












up vote
0
down vote

favorite









up vote
0
down vote

favorite











My current understanding is when a user A creates a file F, this user becomes the file owner, and can also set a permission for whatever group this user would end up being in.



So when user A is in group G, every single member of G would have the permission user A initially set up for file F. Same goes for group G1, G2..... of which A is a member.



But A could not possibly foresee who will be in the same group he or she would be in also, and what kind of group he would be placed into, a predetermined permission seems risky, even though it can be changed. so my understanding seems very naive.



Really appreciate anyone's help.










share|improve this question













My current understanding is when a user A creates a file F, this user becomes the file owner, and can also set a permission for whatever group this user would end up being in.



So when user A is in group G, every single member of G would have the permission user A initially set up for file F. Same goes for group G1, G2..... of which A is a member.



But A could not possibly foresee who will be in the same group he or she would be in also, and what kind of group he would be placed into, a predetermined permission seems risky, even though it can be changed. so my understanding seems very naive.



Really appreciate anyone's help.







linux permissions






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Aug 11 at 12:45









John Smith Sr.

1012




1012











  • This is where you have to trust your system's administrators to manage the groups correctly. Unfortunately, I've seen cases, especially when joined to Active Directory, where a single group contains every user and this is the default group. Usually this happens when Windows admins are designing AD and Linux admin have to live with the results.
    – Doug O'Neal
    Aug 11 at 18:11
















  • This is where you have to trust your system's administrators to manage the groups correctly. Unfortunately, I've seen cases, especially when joined to Active Directory, where a single group contains every user and this is the default group. Usually this happens when Windows admins are designing AD and Linux admin have to live with the results.
    – Doug O'Neal
    Aug 11 at 18:11















This is where you have to trust your system's administrators to manage the groups correctly. Unfortunately, I've seen cases, especially when joined to Active Directory, where a single group contains every user and this is the default group. Usually this happens when Windows admins are designing AD and Linux admin have to live with the results.
– Doug O'Neal
Aug 11 at 18:11




This is where you have to trust your system's administrators to manage the groups correctly. Unfortunately, I've seen cases, especially when joined to Active Directory, where a single group contains every user and this is the default group. Usually this happens when Windows admins are designing AD and Linux admin have to live with the results.
– Doug O'Neal
Aug 11 at 18:11










2 Answers
2






active

oldest

votes

















up vote
2
down vote













On most Linuxes, at least as the out of the box default, a user's primary group is the same as their username, so this wouldn't be a problem since the group ownership of a new file would be for a group that no one will ever be in.



When servers are configured for new users to have a primary group that is shared, then we have the umask environmental variable to prevent any problems. This is what sets the default permissions of new files, and can be set per user. So user A might set his umask to 077, and then any new files he creates will have permissons of 700, meaning group members won't be able to do anything with it.



To expand on this a little, your umask is normally set as part of your initialization script - that is, the scripts that run when you log into a user account. You have two sets - your global profile script, which is most commonly /etc/profile or /etc/bashrc, and your local, which are stored under your home directory as .bashrc or .profile (the actual scripts used depend on your shell, these are just common for bash). When you log in, the relevant global script runs first, then the local script runs, and can override anything done by the global. So under .bashrc (or equivalent) you would simply have to append to the script, umask 077 to set the value to 077. You can also just run umask 077 to set the umask for the current session only.






share|improve this answer






















  • Great answer - thanks! I wonder if you might consider a wee edit to say how A goes about setting his umask?
    – Seamus
    Aug 11 at 15:03










  • @seamus, I added it as requested. Let me know if I didn't explain it clearly.
    – Mella
    Aug 11 at 15:34










  • Perfect :) Thanks!
    – Seamus
    Aug 11 at 16:01

















up vote
1
down vote













When a new file is created, it has a single user (owner) and a single group associated with it. Even if user A is in multiple groups, the file can only be associated with one of those groups. You can confirm this with a simple ls -l. There is one user and one group for any file.



Hence, even if user A is added into a new group, this new group cannot access the file, and thus has no bearing on its permissions. The only way a new user could access it is if they are added to the initial owning group G… and if they have the level of access required to make that happen, then they would be able to access the file by other means anyway.






share|improve this answer




















  • thanks. Does that mean there is a way to change the default group a file is associated with when it is created?
    – John Smith Sr.
    Aug 11 at 14:25










  • @JohnSmithSr.Yes, with the chgrp command. You can change group ownership to any group that you belong to.
    – Doug O'Neal
    Aug 11 at 18:08










  • @JohnSmithSr. chgrp will change the file's groups retroactively. You can also change the default group for a particular user.
    – Sparhawk
    Aug 12 at 0:11











Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f461982%2fhow-to-interpret-group-permission%23new-answer', 'question_page');

);

Post as a guest






























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
2
down vote













On most Linuxes, at least as the out of the box default, a user's primary group is the same as their username, so this wouldn't be a problem since the group ownership of a new file would be for a group that no one will ever be in.



When servers are configured for new users to have a primary group that is shared, then we have the umask environmental variable to prevent any problems. This is what sets the default permissions of new files, and can be set per user. So user A might set his umask to 077, and then any new files he creates will have permissons of 700, meaning group members won't be able to do anything with it.



To expand on this a little, your umask is normally set as part of your initialization script - that is, the scripts that run when you log into a user account. You have two sets - your global profile script, which is most commonly /etc/profile or /etc/bashrc, and your local, which are stored under your home directory as .bashrc or .profile (the actual scripts used depend on your shell, these are just common for bash). When you log in, the relevant global script runs first, then the local script runs, and can override anything done by the global. So under .bashrc (or equivalent) you would simply have to append to the script, umask 077 to set the value to 077. You can also just run umask 077 to set the umask for the current session only.






share|improve this answer






















  • Great answer - thanks! I wonder if you might consider a wee edit to say how A goes about setting his umask?
    – Seamus
    Aug 11 at 15:03










  • @seamus, I added it as requested. Let me know if I didn't explain it clearly.
    – Mella
    Aug 11 at 15:34










  • Perfect :) Thanks!
    – Seamus
    Aug 11 at 16:01














up vote
2
down vote













On most Linuxes, at least as the out of the box default, a user's primary group is the same as their username, so this wouldn't be a problem since the group ownership of a new file would be for a group that no one will ever be in.



When servers are configured for new users to have a primary group that is shared, then we have the umask environmental variable to prevent any problems. This is what sets the default permissions of new files, and can be set per user. So user A might set his umask to 077, and then any new files he creates will have permissons of 700, meaning group members won't be able to do anything with it.



To expand on this a little, your umask is normally set as part of your initialization script - that is, the scripts that run when you log into a user account. You have two sets - your global profile script, which is most commonly /etc/profile or /etc/bashrc, and your local, which are stored under your home directory as .bashrc or .profile (the actual scripts used depend on your shell, these are just common for bash). When you log in, the relevant global script runs first, then the local script runs, and can override anything done by the global. So under .bashrc (or equivalent) you would simply have to append to the script, umask 077 to set the value to 077. You can also just run umask 077 to set the umask for the current session only.






share|improve this answer






















  • Great answer - thanks! I wonder if you might consider a wee edit to say how A goes about setting his umask?
    – Seamus
    Aug 11 at 15:03










  • @seamus, I added it as requested. Let me know if I didn't explain it clearly.
    – Mella
    Aug 11 at 15:34










  • Perfect :) Thanks!
    – Seamus
    Aug 11 at 16:01












up vote
2
down vote










up vote
2
down vote









On most Linuxes, at least as the out of the box default, a user's primary group is the same as their username, so this wouldn't be a problem since the group ownership of a new file would be for a group that no one will ever be in.



When servers are configured for new users to have a primary group that is shared, then we have the umask environmental variable to prevent any problems. This is what sets the default permissions of new files, and can be set per user. So user A might set his umask to 077, and then any new files he creates will have permissons of 700, meaning group members won't be able to do anything with it.



To expand on this a little, your umask is normally set as part of your initialization script - that is, the scripts that run when you log into a user account. You have two sets - your global profile script, which is most commonly /etc/profile or /etc/bashrc, and your local, which are stored under your home directory as .bashrc or .profile (the actual scripts used depend on your shell, these are just common for bash). When you log in, the relevant global script runs first, then the local script runs, and can override anything done by the global. So under .bashrc (or equivalent) you would simply have to append to the script, umask 077 to set the value to 077. You can also just run umask 077 to set the umask for the current session only.






share|improve this answer














On most Linuxes, at least as the out of the box default, a user's primary group is the same as their username, so this wouldn't be a problem since the group ownership of a new file would be for a group that no one will ever be in.



When servers are configured for new users to have a primary group that is shared, then we have the umask environmental variable to prevent any problems. This is what sets the default permissions of new files, and can be set per user. So user A might set his umask to 077, and then any new files he creates will have permissons of 700, meaning group members won't be able to do anything with it.



To expand on this a little, your umask is normally set as part of your initialization script - that is, the scripts that run when you log into a user account. You have two sets - your global profile script, which is most commonly /etc/profile or /etc/bashrc, and your local, which are stored under your home directory as .bashrc or .profile (the actual scripts used depend on your shell, these are just common for bash). When you log in, the relevant global script runs first, then the local script runs, and can override anything done by the global. So under .bashrc (or equivalent) you would simply have to append to the script, umask 077 to set the value to 077. You can also just run umask 077 to set the umask for the current session only.







share|improve this answer














share|improve this answer



share|improve this answer








edited Aug 11 at 15:33

























answered Aug 11 at 12:54









Mella

213110




213110











  • Great answer - thanks! I wonder if you might consider a wee edit to say how A goes about setting his umask?
    – Seamus
    Aug 11 at 15:03










  • @seamus, I added it as requested. Let me know if I didn't explain it clearly.
    – Mella
    Aug 11 at 15:34










  • Perfect :) Thanks!
    – Seamus
    Aug 11 at 16:01
















  • Great answer - thanks! I wonder if you might consider a wee edit to say how A goes about setting his umask?
    – Seamus
    Aug 11 at 15:03










  • @seamus, I added it as requested. Let me know if I didn't explain it clearly.
    – Mella
    Aug 11 at 15:34










  • Perfect :) Thanks!
    – Seamus
    Aug 11 at 16:01















Great answer - thanks! I wonder if you might consider a wee edit to say how A goes about setting his umask?
– Seamus
Aug 11 at 15:03




Great answer - thanks! I wonder if you might consider a wee edit to say how A goes about setting his umask?
– Seamus
Aug 11 at 15:03












@seamus, I added it as requested. Let me know if I didn't explain it clearly.
– Mella
Aug 11 at 15:34




@seamus, I added it as requested. Let me know if I didn't explain it clearly.
– Mella
Aug 11 at 15:34












Perfect :) Thanks!
– Seamus
Aug 11 at 16:01




Perfect :) Thanks!
– Seamus
Aug 11 at 16:01












up vote
1
down vote













When a new file is created, it has a single user (owner) and a single group associated with it. Even if user A is in multiple groups, the file can only be associated with one of those groups. You can confirm this with a simple ls -l. There is one user and one group for any file.



Hence, even if user A is added into a new group, this new group cannot access the file, and thus has no bearing on its permissions. The only way a new user could access it is if they are added to the initial owning group G… and if they have the level of access required to make that happen, then they would be able to access the file by other means anyway.






share|improve this answer




















  • thanks. Does that mean there is a way to change the default group a file is associated with when it is created?
    – John Smith Sr.
    Aug 11 at 14:25










  • @JohnSmithSr.Yes, with the chgrp command. You can change group ownership to any group that you belong to.
    – Doug O'Neal
    Aug 11 at 18:08










  • @JohnSmithSr. chgrp will change the file's groups retroactively. You can also change the default group for a particular user.
    – Sparhawk
    Aug 12 at 0:11















up vote
1
down vote













When a new file is created, it has a single user (owner) and a single group associated with it. Even if user A is in multiple groups, the file can only be associated with one of those groups. You can confirm this with a simple ls -l. There is one user and one group for any file.



Hence, even if user A is added into a new group, this new group cannot access the file, and thus has no bearing on its permissions. The only way a new user could access it is if they are added to the initial owning group G… and if they have the level of access required to make that happen, then they would be able to access the file by other means anyway.






share|improve this answer




















  • thanks. Does that mean there is a way to change the default group a file is associated with when it is created?
    – John Smith Sr.
    Aug 11 at 14:25










  • @JohnSmithSr.Yes, with the chgrp command. You can change group ownership to any group that you belong to.
    – Doug O'Neal
    Aug 11 at 18:08










  • @JohnSmithSr. chgrp will change the file's groups retroactively. You can also change the default group for a particular user.
    – Sparhawk
    Aug 12 at 0:11













up vote
1
down vote










up vote
1
down vote









When a new file is created, it has a single user (owner) and a single group associated with it. Even if user A is in multiple groups, the file can only be associated with one of those groups. You can confirm this with a simple ls -l. There is one user and one group for any file.



Hence, even if user A is added into a new group, this new group cannot access the file, and thus has no bearing on its permissions. The only way a new user could access it is if they are added to the initial owning group G… and if they have the level of access required to make that happen, then they would be able to access the file by other means anyway.






share|improve this answer












When a new file is created, it has a single user (owner) and a single group associated with it. Even if user A is in multiple groups, the file can only be associated with one of those groups. You can confirm this with a simple ls -l. There is one user and one group for any file.



Hence, even if user A is added into a new group, this new group cannot access the file, and thus has no bearing on its permissions. The only way a new user could access it is if they are added to the initial owning group G… and if they have the level of access required to make that happen, then they would be able to access the file by other means anyway.







share|improve this answer












share|improve this answer



share|improve this answer










answered Aug 11 at 12:56









Sparhawk

8,41363488




8,41363488











  • thanks. Does that mean there is a way to change the default group a file is associated with when it is created?
    – John Smith Sr.
    Aug 11 at 14:25










  • @JohnSmithSr.Yes, with the chgrp command. You can change group ownership to any group that you belong to.
    – Doug O'Neal
    Aug 11 at 18:08










  • @JohnSmithSr. chgrp will change the file's groups retroactively. You can also change the default group for a particular user.
    – Sparhawk
    Aug 12 at 0:11

















  • thanks. Does that mean there is a way to change the default group a file is associated with when it is created?
    – John Smith Sr.
    Aug 11 at 14:25










  • @JohnSmithSr.Yes, with the chgrp command. You can change group ownership to any group that you belong to.
    – Doug O'Neal
    Aug 11 at 18:08










  • @JohnSmithSr. chgrp will change the file's groups retroactively. You can also change the default group for a particular user.
    – Sparhawk
    Aug 12 at 0:11
















thanks. Does that mean there is a way to change the default group a file is associated with when it is created?
– John Smith Sr.
Aug 11 at 14:25




thanks. Does that mean there is a way to change the default group a file is associated with when it is created?
– John Smith Sr.
Aug 11 at 14:25












@JohnSmithSr.Yes, with the chgrp command. You can change group ownership to any group that you belong to.
– Doug O'Neal
Aug 11 at 18:08




@JohnSmithSr.Yes, with the chgrp command. You can change group ownership to any group that you belong to.
– Doug O'Neal
Aug 11 at 18:08












@JohnSmithSr. chgrp will change the file's groups retroactively. You can also change the default group for a particular user.
– Sparhawk
Aug 12 at 0:11





@JohnSmithSr. chgrp will change the file's groups retroactively. You can also change the default group for a particular user.
– Sparhawk
Aug 12 at 0:11


















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f461982%2fhow-to-interpret-group-permission%23new-answer', 'question_page');

);

Post as a guest













































































Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?