Red Hat Enterprise Linux uses a user
private group (UPG) scheme, which
makes UNIX groups easier to manage.
A UPG is created whenever a new user is added to the system. A
UPG has the same name as the user for which it was created and that
user is the only member of the UPG.
UPGs make it safe to set default permissions for a newly created
file or directory which allow both the user and that user's group to make modifications to the file
The setting which determines what permissions are applied to a
newly created file or directory is called a umask and is configured in the /etc/bashrc file. Traditionally on UNIX systems,
the umask is set to 022, which allows only the user who created the file
or directory to make modifications. Under this scheme, all other
users, including members of the creator's
group, are not allowed to make any modifications. However,
under the UPG scheme, this "group protection" is not necessary
since every user has their own private group.
Many IT organizations like to create a group for each major
project and then assign people to the group if they need to access
that project's files. Using this traditional scheme, managing files
has been difficult; when someone creates a file, it is associated
with the primary group to which they belong. When a single person
works on multiple projects, it is difficult to associate the right
files with the right group. Using the UPG scheme, however, groups
are automatically assigned to files created within a directory with
the setgid bit set. The setgid bit makes
managing group projects that share a common directory very simple
because any files a user creates within the directory are owned by
the group which owns the directory.
Lets say, for example, that a group of people work on files in
the /usr/lib/emacs/site-lisp/ directory.
Some people are trusted to modify the directory, but certainly not
everyone is trusted. First create an emacs group, as in the following
To associate the contents of the directory with the emacs group, type:
chown -R root.emacs /usr/lib/emacs/site-lisp
Now, it is possible to add the proper users to the group with
the gpasswd command:
/usr/bin/gpasswd -a <username> emacs
To allow users to create files within the directory, use the
chmod 775 /usr/lib/emacs/site-lisp
When a user creates a new file, it is assigned the group of the
user's default private group. Next, set the setgid bit, which
assigns everything created in the directory the same group
permission as the directory itself (emacs). Use the following command:
chmod 2775 /usr/lib/emacs/site-lisp
At this point, because each user's default umask is 002, all
members of the emacs group can
create and edit files in the /usr/lib/emacs/site-lisp/ directory without the
administrator having to change file permissions every time users
write new files.