From mboxrd@z Thu Jan 1 00:00:00 1970 From: Nils Gillmann Subject: Re: Why is the default user group "users"? and: rights and access to /var/mail Date: Mon, 2 Apr 2018 11:25:42 +0000 Message-ID: <20180402112542.pt3dcoe5csxddqxf@abyayala> References: <20180402101017.3dy3g2wt6cg6u226@abyayala> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:43946) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1f2xaY-0004QN-Mh for guix-devel@gnu.org; Mon, 02 Apr 2018 07:25:27 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1f2xaX-0007ke-Gq for guix-devel@gnu.org; Mon, 02 Apr 2018 07:25:26 -0400 Received: from conspiracy.of.n0.is ([2a01:4f8:1c0c:7ad0::1]:46888) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1f2xaX-0007jW-0w for guix-devel@gnu.org; Mon, 02 Apr 2018 07:25:25 -0400 Received: by conspiracy.of.n0.is (OpenSMTPD) with ESMTPSA id 5b1b2dc9 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for ; Mon, 2 Apr 2018 11:25:22 +0000 (UTC) Content-Disposition: inline In-Reply-To: <20180402101017.3dy3g2wt6cg6u226@abyayala> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org Nils Gillmann transcribed 1.3K bytes: > Hi, > > can someone tell me why in gnu/system/shadow module you thought > it would be a good idea to default to "users" as a shared group > for all accounts created as normal user profiles? > > Reason why I'm asking has a second question attached: > Why does our opensmtpd-service (and dovecot?) create > /var/mail world readable, owned by root:root? > I'm working on integration of mailx (package done, debugging its > runtime currently[1]), though I think my concern is not exclusive to > mailx: I want users to be able to read mailboxes inside /var/mail > by their name (/var/mail/$username) and which are set to be r+w > only for $username:$username. If you want to list the content of > the folder you would need to be part of the wheel/sudo group, > otherwise you are just able to access your mailbox with your > mailreader. > $username:$username was what I learned as good and secure usage > for user accounts. Why GuixSD uses $username:users is beyond me. > I know recently the default chmod of the user $home was changed > (last year?) so I can no longer read other users homes, but I'm > still questioning the choice. > Some explanation on this would be good. I think I can achieve what I want with different settings and services. root:root might still be a problem, but I need test more with this. On $username:users, I was told that $username:$username is quiet recent and new development in how defaults are set for Unix users. With every user in one group we just need to watch chmod. So I guess the decision was made when this one user group was still dominant. > > [1] Not sure if this is something you want to see in Guix master, > as a package and as integration. If you are, I'll work it into > my Guix repo when I'm done with it. >