From mboxrd@z Thu Jan 1 00:00:00 1970 From: Nils Gillmann Subject: Why is the default user group "users"? and: rights and access to /var/mail Date: Mon, 2 Apr 2018 10:10:17 +0000 Message-ID: <20180402101017.3dy3g2wt6cg6u226@abyayala> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:56639) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1f2wPY-0007ox-D5 for guix-devel@gnu.org; Mon, 02 Apr 2018 06:10:01 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1f2wPX-0001lt-Hj for guix-devel@gnu.org; Mon, 02 Apr 2018 06:10:00 -0400 Received: from conspiracy.of.n0.is ([2a01:4f8:1c0c:7ad0::1]:46866) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1f2wPX-0001jn-7L for guix-devel@gnu.org; Mon, 02 Apr 2018 06:09:59 -0400 Received: by conspiracy.of.n0.is (OpenSMTPD) with ESMTPSA id c7478215 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for ; Mon, 2 Apr 2018 10:09:56 +0000 (UTC) Content-Disposition: inline List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org Hi, can someone tell me why in gnu/system/shadow module you thought it would be a good idea to default to "users" as a shared group for all accounts created as normal user profiles? Reason why I'm asking has a second question attached: Why does our opensmtpd-service (and dovecot?) create /var/mail world readable, owned by root:root? I'm working on integration of mailx (package done, debugging its runtime currently[1]), though I think my concern is not exclusive to mailx: I want users to be able to read mailboxes inside /var/mail by their name (/var/mail/$username) and which are set to be r+w only for $username:$username. If you want to list the content of the folder you would need to be part of the wheel/sudo group, otherwise you are just able to access your mailbox with your mailreader. $username:$username was what I learned as good and secure usage for user accounts. Why GuixSD uses $username:users is beyond me. I know recently the default chmod of the user $home was changed (last year?) so I can no longer read other users homes, but I'm still questioning the choice. Some explanation on this would be good. [1] Not sure if this is something you want to see in Guix master, as a package and as integration. If you are, I'll work it into my Guix repo when I'm done with it.