Re: [TUHS] Additional groups and additional directory permissions

Re: [TUHS] Additional groups and additional directory permissions

[Norman Wilson]

Thomas Paulsen:

  isn't Kirk McKusic a member of our group?

====

Kirk is a member of many groups, all at the same time.

Norman Wilson
Toronto ON

Re: [TUHS] Additional groups and additional directory permissions

[Thomas Paulsen]

thanks a lot!

--- Ursprüngliche Nachricht ---
Von: Kirk McKusick <mckusick@mckusick.com>
Datum: 10.08.2019 06:02:51
An: Clem Cole <clemc@ccc.com>
Betreff: Re: [TUHS] Additional groups and additional directory permissions

>
> Late to answer...
>
> As far as I remember, Clem's description is correct. The filesystem
> itself stores only one owner and one group ID. When checking access
> to the file, the file owner is checked to see if the user ID matches.
> If so, then the owner permissions are applied. If not then the group
> array associated with the user is used to decide if the group of the
> file matches one of the groups of which the user is a member and if
> so the group permissions apply. Otherwise the other permissions are
> used.
>
> In BSD, the group assigned to the file is assigned from the group of
> the directory in which it is created. The setgid flag can be set only
> if that group is a member of the user's group array. The user can only
> change the group ID to one that appears in their group array.
>
> Until multiple group sets were added to System V, the group of the
> file was taken from the gid assigned to the user at login.
>
> 	Kirk McKusick
>

Re: [TUHS] Additional groups and additional directory permissions

[Kirk McKusick]

> Date: Fri, 2 Aug 2019 09:28:18 -0400
> From: Clem Cole <clemc@ccc.com>
> To: Aharon Robbins <arnold@skeeve.com>, Doug McIlroy <doug@cs.dartmouth.edu>
> Cc: The Eunuchs Hysterical Society <tuhs@tuhs.org>
> Subject: Re: [TUHS] Additional groups and additional directory permissions
> 
> The best I can tell/remember is that groups went through 4 phases:
> 1.) No groups (earliest  UNIX) [ I personally never used this except in the
> V0 retrocomputing]
> 2.) First group implementation (Thompson) [My first UNIX introduction was
> with this implementation]
> 3.) PWB 1.0 (Mashey version) [then saw this post PWB]
> 4.) BSD 4.2 (wnj version) [and lived this transistion]
> 
> Each was a little different in semantics.
> 
> As Doug mentioned, many sites (like Research) really did not need much and
> groups were really not used that widely.   Thompson added something like
> the Project number of TOPS and some earlier systems.  Truth is, it did not
> help much IMO.   It was useful for grouping things like the binaries and
> keeping some more privileged programs from having to be setuid root.
> 
> Mashey added features in PWB, primarily because of the RJE/Front end to the
> Mainframes and the need to have better protections/collections of certain
> items.   But they still were much more like the DEC PPN, were you were
> running as a single group (i.e. the tuple UID/GID).  This lasted a pretty
> long time, as it worked reasonably well for larger academic systems, where
> you had a user and were assigned a group, say for a course or class, you
> might be talking.  If you looked at big 4.1 BSN Vaxen like at Purdue/Penn
> State, *etc.*, that how they were admin'd.  But as Doug said, if you were
> still a small site, the use of groups was still pretty shallow.
> 
> But, as part of the CSRG support for DARPA, there was a push from the
> community to have a list of groups that a user could be a part and you
> carried that list around in a more general manner.   The big sites, in
> particular, were pushing for this because they were using groups as a major
> feature.  wnj implemented same and it would go out widely in 4.2, although
> >>by memory<< that was in 4.1B or 4.1C first.   It's possible Robert Elz
> may have brought that to Bill with his quota changes, but frankly I've
> forgotten.   There was a lot of work being done to the FS at that point,
> much less Kirk's rewrite.
> 
> But as UNIX went back to workstations, the need for a more general group
> system dropped away until the advent widely used distributed file systems
> like CMU's AFS and Sun's NFS.  Then the concept of a user being in more
> than one group became much more de rigeur even on a small machine.
> 
> Clem

Late to answer...

As far as I remember, Clem's description is correct. The filesystem
itself stores only one owner and one group ID. When checking access
to the file, the file owner is checked to see if the user ID matches.
If so, then the owner permissions are applied. If not then the group
array associated with the user is used to decide if the group of the
file matches one of the groups of which the user is a member and if
so the group permissions apply. Otherwise the other permissions are
used.

In BSD, the group assigned to the file is assigned from the group of
the directory in which it is created. The setgid flag can be set only
if that group is a member of the user's group array. The user can only
change the group ID to one that appears in their group array.

Until multiple group sets were added to System V, the group of the
file was taken from the gid assigned to the user at login.

	Kirk McKusick

Re: [TUHS] Additional groups and additional directory permissions

[arnold]

> arnold@skeeve.com <arnold@skeeve.com> wrote:
> > Arthur Krewat <krewat@kilonet.net>:
> > > There's also the setgid bit on directories, that when files are created,
> > > they will be in the group that the parent directory has on it.
> >
> > IIRC this was a Sun invention. It was in SunOS 4.x, and may even have
> > been in SunOS 3.x.

Tony Finch <dot@dotat.at> wrote:
> When Bill Joy added the "multi-group stuff" to BSD all directories became
> implicitly set-gid:

Yes.  But the commercial world had backwards compatibility to worry about.
Thus the setgid bit on directories. I'm no longer sure who first came
up with it.

> As I understand it, when group support was improved in System V they did
> not change creat() to match BSD but instead used the directory set-gid bit
> to provide opt-in BSD semantics. I don't know if this was in Solaris or
> earlier?

Correct, but not sure when it was first done.

> > > Also, I don't think it's been mentioned, but there's the setuid bit on
> > > directories - otherwise known as the sticky bit. When set, even if you
> > > have rights to "write" the directory (meaning, delete files), you can't
> > > delete those owned by other users. Useful for /tmp
> >
> > Also a SunOS invention, IIRC.
>
> BSD again :-) SCCS revision 6.6 so I think it appeared in 4.3BSD

That sounds right. I stand corrected.

Thanks,

Arnold

Re: [TUHS] Additional groups and additional directory permissions

[Thomas Paulsen]

isn't Kirk McKusic a member of our group? Guess he can contribute a lot on this issue.

--- Ursprüngliche Nachricht ---
Von: Clem Cole <clemc@ccc.com>
Datum: 02.08.2019 15:28:18
An: Aharon Robbins <arnold@skeeve.com>, Doug McIlroy <doug@cs.dartmouth.edu>
Betreff: Re: [TUHS] Additional groups and additional directory permissions

> The best I can tell/remember is that groups went through 4 phases:
> 1.) No groups (earliest  UNIX) [ I personally never used this except in the
>
> V0 retrocomputing]
> 2.) First group implementation (Thompson) [My first UNIX introduction was
>
> with this implementation]
> 3.) PWB 1.0 (Mashey version) [then saw this post PWB]
> 4.) BSD 4.2 (wnj version) [and lived this transistion]
>
> Each was a little different in semantics.
>
> As Doug mentioned, many sites (like Research) really did not need much and
>
> groups were really not used that widely.   Thompson added something like
>
> the Project number of TOPS and some earlier systems.  Truth is, it did not
>
> help much IMO.   It was useful for grouping things like the binaries and
>
> keeping some more privileged programs from having to be setuid root.
>
> Mashey added features in PWB, primarily because of the RJE/Front end to the
>
> Mainframes and the need to have better protections/collections of certain
>
> items.   But they still were much more like the DEC PPN, were you were
> running as a single group (i.e. the tuple UID/GID).  This lasted a pretty
>
> long time, as it worked reasonably well for larger academic systems, where
>
> you had a user and were assigned a group, say for a course or class, you
>
> might be talking.  If you looked at big 4.1 BSN Vaxen like at Purdue/Penn
>
> State, *etc.*, that how they were admin'd.  But as Doug said, if you were
>
> still a small site, the use of groups was still pretty shallow.
>
> But, as part of the CSRG support for DARPA, there was a push from the
> community to have a list of groups that a user could be a part and you
> carried that list around in a more general manner.   The big sites, in
> particular, were pushing for this because they were using groups as a major
>
> feature.  wnj implemented same and it would go out widely in 4.2, although
>
> >>by memory<< that was in 4.1B or 4.1C first.   It's possible
> Robert Elz
> may have brought that to Bill with his quota changes, but frankly I've
> forgotten.   There was a lot of work being done to the FS at that point,
>
> much less Kirk's rewrite.
>
> But as UNIX went back to workstations, the need for a more general group
>
> system dropped away until the advent widely used distributed file systems
>
> like CMU's AFS and Sun's NFS.  Then the concept of a user being in more
> than one group became much more de rigeur even on a small machine.
>
> Clem
>

Re: [TUHS] Additional groups and additional directory permissions

[Clem Cole]

[-- Attachment #1: Type: text/plain, Size: 2336 bytes --]

The best I can tell/remember is that groups went through 4 phases:
1.) No groups (earliest  UNIX) [ I personally never used this except in the
V0 retrocomputing]
2.) First group implementation (Thompson) [My first UNIX introduction was
with this implementation]
3.) PWB 1.0 (Mashey version) [then saw this post PWB]
4.) BSD 4.2 (wnj version) [and lived this transistion]

Each was a little different in semantics.

As Doug mentioned, many sites (like Research) really did not need much and
groups were really not used that widely.   Thompson added something like
the Project number of TOPS and some earlier systems.  Truth is, it did not
help much IMO.   It was useful for grouping things like the binaries and
keeping some more privileged programs from having to be setuid root.

Mashey added features in PWB, primarily because of the RJE/Front end to the
Mainframes and the need to have better protections/collections of certain
items.   But they still were much more like the DEC PPN, were you were
running as a single group (i.e. the tuple UID/GID).  This lasted a pretty
long time, as it worked reasonably well for larger academic systems, where
you had a user and were assigned a group, say for a course or class, you
might be talking.  If you looked at big 4.1 BSN Vaxen like at Purdue/Penn
State, *etc.*, that how they were admin'd.  But as Doug said, if you were
still a small site, the use of groups was still pretty shallow.

But, as part of the CSRG support for DARPA, there was a push from the
community to have a list of groups that a user could be a part and you
carried that list around in a more general manner.   The big sites, in
particular, were pushing for this because they were using groups as a major
feature.  wnj implemented same and it would go out widely in 4.2, although
>>by memory<< that was in 4.1B or 4.1C first.   It's possible Robert Elz
may have brought that to Bill with his quota changes, but frankly I've
forgotten.   There was a lot of work being done to the FS at that point,
much less Kirk's rewrite.

But as UNIX went back to workstations, the need for a more general group
system dropped away until the advent widely used distributed file systems
like CMU's AFS and Sun's NFS.  Then the concept of a user being in more
than one group became much more de rigeur even on a small machine.

Clem

[-- Attachment #2: Type: text/html, Size: 3788 bytes --]

Re: [TUHS] Additional groups and additional directory permissions

[Clem Cole]

[-- Attachment #1: Type: text/plain, Size: 655 bytes --]

On Fri, Aug 2, 2019 at 4:36 AM <arnold@skeeve.com> wrote:

> Arthur Krewat <krewat@kilonet.net>:
> > Also, I don't think it's been mentioned, but there's the setuid bit on
> > directories - otherwise known as the sticky bit. When set, even if you
> > have rights to "write" the directory (meaning, delete files), you can't
> > delete those owned by other users. Useful for /tmp
>
> Also a SunOS invention, IIRC.
>
Nope, much older.  It was a BSDism -- Cory Hall 11/70 actually (V6
originally) - wnj probably, but it may have been somebody like Asa
Romberger or Bob Kriddle who were the admins.  VAXen distributions picked
it up and Sun got it from there.

[-- Attachment #2: Type: text/html, Size: 1334 bytes --]

Re: [TUHS] Additional groups and additional directory permissions

[Arthur Krewat]

On 8/2/2019 4:35 AM, arnold@skeeve.com wrote:
> [Subject line changed]
>
> Hi.
>
> Arthur Krewat <krewat@kilonet.net>:
>> There's also the setgid bit on directories, that when files are created,
>> they will be in the group that the parent directory has on it.
> IIRC this was a Sun invention. It was in SunOS 4.x, and may even have
> been in SunOS 3.x.
>
>> Also, I don't think it's been mentioned, but there's the setuid bit on
>> directories - otherwise known as the sticky bit. When set, even if you
>> have rights to "write" the directory (meaning, delete files), you can't
>> delete those owned by other users. Useful for /tmp
> Also a SunOS invention, IIRC.
>
>> I have no idea what the timeline is for either of these features :)
> Timeline is late 80s, SunOS 4.0, I believe. (Larry? :-)
>
> These ideas later propogated into SVR4 / Solaris, Linux and most (if not all)
> the other proprietary Unixes.
>

Makes a lot of sense. I just fired up my Consensys SVR4.2 VirtualBox 
guest, and sure enough, neither the sticky bit, nor setgid work on 
directories.

My first commercial experience with UNIX as a consultant was SunOS. I 
had worked on Version 6 earlier, but that was purely personal and never 
more than messing around with a uVAX a friend had brought home from work.

thanks for the info!
art k.

Re: [TUHS] Additional groups and additional directory permissions

[Tony Finch]

arnold@skeeve.com <arnold@skeeve.com> wrote:
> Arthur Krewat <krewat@kilonet.net>:
> > There's also the setgid bit on directories, that when files are created,
> > they will be in the group that the parent directory has on it.
>
> IIRC this was a Sun invention. It was in SunOS 4.x, and may even have
> been in SunOS 3.x.

When Bill Joy added the "multi-group stuff" to BSD all directories became
implicitly set-gid:

https://svnweb.freebsd.org/csrg/sys/ufs/ffs/ffs_inode.c?r1=4818&r2=5855

This is in SCCS revision 4.8 so I think it appeared in 4.2BSD

As I understand it, when group support was improved in System V they did
not change creat() to match BSD but instead used the directory set-gid bit
to provide opt-in BSD semantics. I don't know if this was in Solaris or
earlier?

> > Also, I don't think it's been mentioned, but there's the setuid bit on
> > directories - otherwise known as the sticky bit. When set, even if you
> > have rights to "write" the directory (meaning, delete files), you can't
> > delete those owned by other users. Useful for /tmp
>
> Also a SunOS invention, IIRC.

BSD again :-) SCCS revision 6.6 so I think it appeared in 4.3BSD

https://svnweb.freebsd.org/csrg/sys/ufs/ffs/ufs_lookup.c?r1=15809&r2=16046

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Mull of Galloway to Mull of Kintyre including the Firth of Clyde and North
Channel: Variable 1 to 3, becoming easterly or southeasterly 2 to 4 later.
Smooth, occasionally slight at first in North Channel. Showers for a time near
shore. Good.

[TUHS] Additional groups and additional directory permissions

[arnold]

[Subject line changed]

Hi.

Doug McIlroy:
> Yet clean as the idea of groups was, it has been used only sporadically
> (in my experience).

I suspect this was true mainly at Research, where the whole place was
not large. Other people, as pointed out, found groups to be very useful.

"John P. Linderman" <jpl.jpl@gmail.com> wrote:
> This changed when you
> could be in multiple groups at the same time (a BSD invention?),

Yes, at 4.2 BSD. The so-called group set.

> and your
> primary group automatically changed to the group owning your current
> working directory (iff you belonged to that group).

No. Your process simply carried around a bunch of groups with it, and if
the group of the directory matched the primary group or a member of the
group set, you got group permission.

Arthur Krewat <krewat@kilonet.net>:
> There's also the setgid bit on directories, that when files are created, 
> they will be in the group that the parent directory has on it.

IIRC this was a Sun invention. It was in SunOS 4.x, and may even have
been in SunOS 3.x.

> Also, I don't think it's been mentioned, but there's the setuid bit on 
> directories - otherwise known as the sticky bit. When set, even if you 
> have rights to "write" the directory (meaning, delete files), you can't 
> delete those owned by other users. Useful for /tmp

Also a SunOS invention, IIRC.

> I have no idea what the timeline is for either of these features :)

Timeline is late 80s, SunOS 4.0, I believe. (Larry? :-)

These ideas later propogated into SVR4 / Solaris, Linux and most (if not all)
the other proprietary Unixes.

HTH,

Arnold