setgid - its current use

setgid - its current use

[Dhruv Gami]

Hello Everyone,

A long time back there was discussion over setuid/setgid and how its been 
replaced by Capabilities (This is what i understood from the 
archives...please correct me if im wrong).

I'd like to know the possibility of using setgid for users to switch their 
groups and work as a member of a particular group. Essentially, if i want 
one user, who belongs to groups X, Y and Z to create a file as a member of 
group Y while he's logged on as a member of group X, would it be possible 
through setgid() ? 

would i need to change all programs that need this capability ? 

or is there a way in the kernel do achieve this ? 

Can i use capabilities in some way to achieve this ?

Any pointers would be really helpful. i don't mind reading up on heavy 
documentation, if i only know where to look. 

Also, im not subscribed to this list, so I'd appreciate it if replies 
could be CC'd to gami@d10systems.com. If there's any other information 
that I should provide to clarify my question, please let me know.

Thanks !

regards,
Gami
-- 
Dhruv Gami
http://d10systems.com
http://d10systems.com/gami

Re: setgid - its current use

[Denis Vlasenko]

On Thursday 08 April 2004 04:46, Dhruv Gami wrote:
> Hello Everyone,
>
> A long time back there was discussion over setuid/setgid and how its been
> replaced by Capabilities (This is what i understood from the
> archives...please correct me if im wrong).
>
> I'd like to know the possibility of using setgid for users to switch their
> groups and work as a member of a particular group. Essentially, if i want
> one user, who belongs to groups X, Y and Z to create a file as a member of
> group Y while he's logged on as a member of group X, would it be possible
> through setgid() ?

it is possible through chmod
-- 
vda

Re: setgid - its current use

[Dhruv Gami]

On Thu, 8 Apr 2004, Denis Vlasenko wrote:

> On Thursday 08 April 2004 04:46, Dhruv Gami wrote:
> > I'd like to know the possibility of using setgid for users to switch their
> > groups and work as a member of a particular group. Essentially, if i want
> > one user, who belongs to groups X, Y and Z to create a file as a member of
> > group Y while he's logged on as a member of group X, would it be possible
> > through setgid() ?
> 
> it is possible through chmod

but that would be an explicit way of doing it, right ? I'm looking for 
doing this via some system calls or something transparent to the user. At 
most I'd like to query the user for the group as which he wants to work. 
Which would essentially be a question I ask at login or beginning of a 
session.

regards,
Gami 

-- 
Dhruv Gami
D10 Systems
http://d10systems.com
http://d10systems.com/gami

Re: setgid - its current use

[Miquel van Smoorenburg]

In article <Pine.LNX.4.58.0404072304500.14350@d10systems.homelinux.com>,
Dhruv Gami  <gami@d10systems.com> wrote:
>On Thu, 8 Apr 2004, Denis Vlasenko wrote:
>
>> On Thursday 08 April 2004 04:46, Dhruv Gami wrote:
>> > I'd like to know the possibility of using setgid for users to switch their
>> > groups and work as a member of a particular group. Essentially, if i want
>> > one user, who belongs to groups X, Y and Z to create a file as a member of
>> > group Y while he's logged on as a member of group X, would it be possible
>> > through setgid() ?
>> 
>> it is possible through chmod
>
>but that would be an explicit way of doing it, right ? I'm looking for 
>doing this via some system calls or something transparent to the user. At 
>most I'd like to query the user for the group as which he wants to work. 
>Which would essentially be a question I ask at login or beginning of a 
>session.

"man newgrp(1)".

Mike.

Re: setgid - its current use

[Jesse Pollard]

On Wednesday 07 April 2004 22:06, Dhruv Gami wrote:
> On Thu, 8 Apr 2004, Denis Vlasenko wrote:
> > On Thursday 08 April 2004 04:46, Dhruv Gami wrote:
> > > I'd like to know the possibility of using setgid for users to switch
> > > their groups and work as a member of a particular group. Essentially,
> > > if i want one user, who belongs to groups X, Y and Z to create a file
> > > as a member of group Y while he's logged on as a member of group X,
> > > would it be possible through setgid() ?
> >
> > it is possible through chmod
>
> but that would be an explicit way of doing it, right ? I'm looking for
> doing this via some system calls or something transparent to the user. At
> most I'd like to query the user for the group as which he wants to work.
> Which would essentially be a question I ask at login or beginning of a
> session.

You want the "newgrp" utility.

>From the manpage:

       Newgrp  changes  the group identification of its caller, analogously to
       login(1).  The same person remains logged in, and the current directory
       is  unchanged, but calculations of access permissions to files are per-
       formed with respect to the new group ID.

       If no group is specified, the GID is changed to the login GID.

Re: setgid - its current use

[Albert Cahalan]

Dhruv Gami writes:
> On Thu, 8 Apr 2004, Denis Vlasenko wrote:
>> On Thursday 08 April 2004 04:46, Dhruv Gami wrote:

>>> I'd like to know the possibility of using setgid for users
>>> to switch their groups and work as a member of a particular
>>> group. Essentially, if i want one user, who belongs to
>>> groups X, Y and Z to create a file as a member of group Y
>>> while he's logged on as a member of group X, would it be
>>> possible through setgid() ?
>>
>> it is possible through chmod
>
> but that would be an explicit way of doing it, right ?
> I'm looking for doing this via some system calls or something
> transparent to the user. At  most I'd like to query the user
> for the group as which he wants to work. Which would
> essentially be a question I ask at login or beginning of a 
> session.

I think you need user-private groups and setgid directories.

First of all, ensure that each user has a group of
their own. Do NOT put all users into a "users" group.
So user "gami" would be in group "gami", or maybe
a "gami_group" group if you prefer. Have the home
directories owned by these groups.

Second, set the umask to allow group write access.
(this is why you need the user-private groups)

Now suppose you have two users, bill and tom,
who need to work together on the spamming project.
Create a group called "spamming". Create a project
directory /projects/spamming owned by root and
in the spamming group. Make this directory setgid
and group writable. Any files created in this
directory will be owned by the spamming group.
Due to the umask setting, permissions on these
new files will allow access by all group members.
The setgid bit will propagate to any newly created
directories, but not to newly created files.

Re: setgid - its current use

[Rob Couto]

> I think you need user-private groups and setgid directories.
>
> First of all, ensure that each user has a group of
> their own. Do NOT put all users into a "users" group.
> So user "gami" would be in group "gami", or maybe
> a "gami_group" group if you prefer. Have the home
> directories owned by these groups.
>
> Second, set the umask to allow group write access.
> (this is why you need the user-private groups)
>
> Now suppose you have two users, bill and tom,
> who need to work together on the spamming project.
> Create a group called "spamming". Create a project
> directory /projects/spamming owned by root and
> in the spamming group. Make this directory setgid
> and group writable. Any files created in this
> directory will be owned by the spamming group.
> Due to the umask setting, permissions on these
> new files will allow access by all group members.
> The setgid bit will propagate to any newly created
> directories, but not to newly created files.
>

that must be the fine-grained control _i_ was after!! thank you... and we 
thought mandrake was a little stupid for doing new users that way... neural 
oops 

-- 
Rob Couto [rpc@cafe4111.org]
Rules for computing success:
1) Attitude is no substitute for competence.
2) Ease of use is no substitute for power.
3) Safety matters; use a static-free hammer.
--