From mboxrd@z Thu Jan 1 00:00:00 1970 From: Chris Marusich Subject: Re: Why is the default user group "users"? and: rights and access to /var/mail Date: Thu, 05 Apr 2018 23:43:33 -0700 Message-ID: <877epkbzsa.fsf@gmail.com> References: <20180402101017.3dy3g2wt6cg6u226@abyayala> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:34285) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1f4L68-0004N5-Bb for guix-devel@gnu.org; Fri, 06 Apr 2018 02:43:45 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1f4L64-00089Y-Qv for guix-devel@gnu.org; Fri, 06 Apr 2018 02:43:43 -0400 Received: from mail-io0-x22f.google.com ([2607:f8b0:4001:c06::22f]:45604) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1f4L64-00089J-L8 for guix-devel@gnu.org; Fri, 06 Apr 2018 02:43:40 -0400 Received: by mail-io0-x22f.google.com with SMTP id 141so469246iou.12 for ; Thu, 05 Apr 2018 23:43:40 -0700 (PDT) Received: from garuda.local (c-24-18-253-84.hsd1.wa.comcast.net. [24.18.253.84]) by smtp.gmail.com with ESMTPSA id 124-v6sm5524978itw.25.2018.04.05.23.43.37 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 05 Apr 2018 23:43:37 -0700 (PDT) In-Reply-To: <20180402101017.3dy3g2wt6cg6u226@abyayala> (Nils Gillmann's message of "Mon, 2 Apr 2018 10:10:17 +0000") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Nils Gillmann writes: > can someone tell me why in gnu/system/shadow module you thought > it would be a good idea to default to "users" as a shared group > for all accounts created as normal user profiles? > > Reason why I'm asking has a second question attached: > Why does our opensmtpd-service (and dovecot?) create > /var/mail world readable, owned by root:root? Does the opensmtpd-service allow a user to customize in their declaration the permissions it will use for /var/mail? If it does, then you should be able to specify precisely the permissions you want on /var/mail. > I'm working on integration of mailx (package done, debugging its > runtime currently[1]), though I think my concern is not exclusive to > mailx: I want users to be able to read mailboxes inside /var/mail > by their name (/var/mail/$username) and which are set to be r+w > only for $username:$username. If you want to list the content of > the folder you would need to be part of the wheel/sudo group, > otherwise you are just able to access your mailbox with your > mailreader. > $username:$username was what I learned as good and secure usage > for user accounts. Why GuixSD uses $username:users is beyond me. > I know recently the default chmod of the user $home was changed > (last year?) so I can no longer read other users homes, but I'm > still questioning the choice. > Some explanation on this would be good. In defense of the current default, my understanding is that in shared systems, it is not uncommon to put users in a single group (e.g., users). I suppose the intent might be to make it easier for the users to collaborate in such shared systems. So, I didn't find this behavior very surprising. However, if you want to change the user/group structure, you ought to be able to do so. I believe you can do that by customizing the "users" and "groups" fields of your declaration (see: (guix) operating-system Reference). You even should to be able to remove the "users" group entirely if you don't want it. Hope that helps! =2D-=20 Chris --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAlrHFxUACgkQ3UCaFdgi Rp2BEQ/9HzRVldtdvVey5JX/LlZorRLxfLkOrI0x0SsP/Qpe3YkIJzN9S/ufxjVM Mio3MY0Q88Y8p1h77yvZzo1XMqDMSbxt2LozHS2/uouk6bpnYsZYdiC0kFQAbVC7 Xm9cK3mmwSyqKnINF63KeHIXoY0sBb9EhkQAAsLg0GCXq61Gee88eG517C2Nz1aB QpAb/SpLVa8JNX0ESTU8eiPG1nYgFhQusC/w6fo993U44VDGAl+NDIYjsAsG1BZD p4W2/gTKzBn2+BWoF1rxLrjAvFIlpbapSF0PWUCK4lNE80FJ95v4PMj7rhrDrKUu bpjiNVVVA7dDszW8zvUABYqx75I2LqFKPHmb/42KHpQX625euD0CdKfmseBGjE/S OSOpGlX67rFrTKOikTTkHj6brwqpcG8E/BbFfsBv9ICJ50F6im93UBOQOPBuIBJo ObVRdSOhMMrg2IHumU7PJePE/di3mYCGla4cQPINWcp+qwJR0zzyhsHh8NBsV+Ot KFddYTw4AONlAk9k7FTXrUZoLaAGH6v909uEYywd4bLxQD7hT4bHTx0Gzlp5E4Fn eawjRYnydic1F1uuqX33lw34d6+i6OFoR5chlYCNuxzNopZDVmeb0Viz7zt/hUJO nRdbXLhqB5wAVFYXRWHVpX8hahX33cbFq1jYVCzM40nF8llhc7w= =1o7C -----END PGP SIGNATURE----- --=-=-=--