Read and write permission were common ideas--even part of the Atlas paging hardware that was described before 1960. The original concept of time-sharing was to give a virtual computer to each user. When it became clear that sharing was an equally important aspect, owner/other permissions arose. I believe that was the case with Multics. Owner/other permissions were in PDP-11 Unix from the start. Group permissions arose from the ferment of daily talk in the Unix lab. How might the usual protections be extended to collaborative projects? Ken and Dennis deserve credit for the final implementation. Yet clean as the idea of groups was, it has been used only sporadically (in my experience). Execute permission (much overloaded in Unix) also dates back to the dawn of paging. One Unix innovation, due to Dennis, was the suid bit--the only patented feature in the Research system. It was instantly adopted for maintaining the Moo (a game now sold under the name "Master Mind") league standings table. One trouble with full-blown ACLs as required by NSA's Orange Book, is obscurity. It is hard (possibly NP- complete) to analyze the actual security of an ACL configuration. A common failing of Unix administration was a proliferation of suid-root programs, e.g. mail(1). I recall one system that had a hundred such programs. Sudo provided a way station between suid and ACLs. Doug
[-- Attachment #1: Type: text/plain, Size: 2916 bytes --] *Yet clean as the idea of groups was, it has been used only sporadically (in my experience).* As I recall it, the original "basic groups" were essentially "us" and "them". "Us" was everyone in the "in crowd", "them" was everyone else. Since the basic groups were rather extensive, it was prudent to turn group write permission off in your default umask. But that made groups rather clunky. You were in only one group at a time, so you had to "chgrp" to a select group, and then remember to set your umask to allow group write permission so others in the group could modify files. This changed when you could be in multiple groups at the same time (a BSD invention?), and your primary group automatically changed to the group owning your current working directory (iff you belonged to that group). This made it unnecessary to do an explicit chgrp in most cases. Having group write permission off in your default umask was now a nuisance. We fixed that by giving everyone an unshared primary group id, typically the same as the uid. It then became safe to make group write permission on by default. This made groups much more useful. Anyone in a group (but only those members) could create a directory owned by that group, and group members working in that directory defaulted to creating files (and subdirectories) group-owned by and writable by all the members of the group. It just worked. On Thu, Aug 1, 2019 at 8:36 AM Doug McIlroy <doug@cs.dartmouth.edu> wrote: > Read and write permission were common ideas--even part of > the Atlas paging hardware that was described before 1960. > The original concept of time-sharing was to give a virtual > computer to each user. When it became clear that sharing > was an equally important aspect, owner/other permissions > arose. I believe that was the case with Multics. > > Owner/other permissions were in PDP-11 Unix from the start. > Group permissions arose from the ferment of daily talk in > the Unix lab. How might the usual protections be extended > to collaborative projects? Ken and Dennis deserve credit > for the final implementation. Yet clean as the idea of groups > was, it has been used only sporadically (in my experience). > > Execute permission (much overloaded in Unix) also dates > back to the dawn of paging. One Unix innovation, due to > Dennis, was the suid bit--the only patented feature in > the Research system. It was instantly adopted for > maintaining the Moo (a game now sold under the name > "Master Mind") league standings table. > > One trouble with full-blown ACLs as required by NSA's > Orange Book, is obscurity. It is hard (possibly NP- > complete) to analyze the actual security of an ACL > configuration. > > A common failing of Unix administration was a proliferation > of suid-root programs, e.g. mail(1). I recall one system > that had a hundred such programs. Sudo provided a way > station between suid and ACLs. > > Doug > [-- Attachment #2: Type: text/html, Size: 3589 bytes --]
[-- Attachment #1: Type: text/plain, Size: 1992 bytes --] There's also the setgid bit on directories, that when files are created, they will be in the group that the parent directory has on it. Also, I don't think it's been mentioned, but there's the setuid bit on directories - otherwise known as the sticky bit. When set, even if you have rights to "write" the directory (meaning, delete files), you can't delete those owned by other users. Useful for /tmp I have no idea what the timeline is for either of these features :) On 8/1/2019 12:22 PM, John P. Linderman wrote: > > *Yet clean as the idea of groups was, it has been used only > sporadically (in my experience).* > > > As I recall it, the original "basic groups" were essentially "us" and > "them". "Us" was everyone in the "in crowd", "them" was everyone else. > Since the basic groups were rather extensive, it was prudent to turn > group write permission off in your default umask. But that made groups > rather clunky. You were in only one group at a time, so you had to > "chgrp" to a select group, and then remember to set your umask to > allow group write permission so others in the group could modify > files. This changed when you could be in multiple groups at the same > time (a BSD invention?), and your primary group automatically changed > to the group owning your current working directory (iff you belonged > to that group). This made it unnecessary to do an explicit chgrp in > most cases. Having group write permission off in your default umask > was now a nuisance. We fixed that by giving everyone an unshared > primary group id, typically the same as the uid. It then became safe > to make group write permission on by default. This made groups much > more useful. Anyone in a group (but only those members) could create a > directory owned by that group, and group members working in that > directory defaulted to creating files (and subdirectories) group-owned > by and writable by all the members of the group. It just worked. > [-- Attachment #2: Type: text/html, Size: 2960 bytes --]
On 08/01/19 08:35, Doug McIlroy wrote (in part):
> Yet clean as the idea of groups
> was, it has been used only sporadically (in my experience).
Interesting... we used groups extensively (qa, staging, dev, research,
release, ...) but never ACLs.
N.
On 8/1/2019 1:01 PM, Nemo Nusquam wrote:
> On 08/01/19 08:35, Doug McIlroy wrote (in part):
>> Yet clean as the idea of groups
>> was, it has been used only sporadically (in my experience).
> Interesting... we used groups extensively (qa, staging, dev, research,
> release, ...) but never ACLs.
I've had occasion to use groups extensively in various places I've
consulted. Defense Contractors, educational institutions, etc. That, and
quotas.
I've used Solaris ZFS ACLs, and Linux ACLs to solve many problems.
There's always an exception to the UNIX rule when it comes to
owner/group/world, and trying to corral users into that paradigm is not
always fruitful.
Although, in one case, a common storage area with both the setgid and
setuid bit on the parent, and various Engineering departments writing
files and directories to it, was a really cool solution to a problem
although it used secondary groups as well.
art k.
Two things killed off the adoption of groups as a widely-deployed ACL mechanism: 1) NFS, specifically its limits on the number of supplimentary groups the protocol supported, 2) Kernel limits on the number of supplimentary groups associated with a process (e.g. NGROUPS_MAX) --lyndon
On Thu, 1 Aug 2019, Doug McIlroy wrote:
> A common failing of Unix administration was a proliferation of suid-root
> programs, e.g. mail(1). I recall one system that had a hundred such
> programs. Sudo provided a way station between suid and ACLs.
I've always maintained that if you think you need setuid root (which is a
gaping chest wound), you can invariably get away with setgid instead.
ObTrivia: Back in the 80s, some third-party software needed to be
installed under "root". I was suspicious, but I had little choice but to
allow it (manager's orders; that company went under shortly after I left
them). Eventually I discovered why, when I had to clean up the mess: it
actually *unlinked* directories; yes, you read that right...
-- Dave
[Subject line changed] Hi. Doug McIlroy: > Yet clean as the idea of groups was, it has been used only sporadically > (in my experience). I suspect this was true mainly at Research, where the whole place was not large. Other people, as pointed out, found groups to be very useful. "John P. Linderman" <jpl.jpl@gmail.com> wrote: > This changed when you > could be in multiple groups at the same time (a BSD invention?), Yes, at 4.2 BSD. The so-called group set. > and your > primary group automatically changed to the group owning your current > working directory (iff you belonged to that group). No. Your process simply carried around a bunch of groups with it, and if the group of the directory matched the primary group or a member of the group set, you got group permission. Arthur Krewat <krewat@kilonet.net>: > There's also the setgid bit on directories, that when files are created, > they will be in the group that the parent directory has on it. IIRC this was a Sun invention. It was in SunOS 4.x, and may even have been in SunOS 3.x. > Also, I don't think it's been mentioned, but there's the setuid bit on > directories - otherwise known as the sticky bit. When set, even if you > have rights to "write" the directory (meaning, delete files), you can't > delete those owned by other users. Useful for /tmp Also a SunOS invention, IIRC. > I have no idea what the timeline is for either of these features :) Timeline is late 80s, SunOS 4.0, I believe. (Larry? :-) These ideas later propogated into SVR4 / Solaris, Linux and most (if not all) the other proprietary Unixes. HTH, Arnold
arnold@skeeve.com <arnold@skeeve.com> wrote: > Arthur Krewat <krewat@kilonet.net>: > > There's also the setgid bit on directories, that when files are created, > > they will be in the group that the parent directory has on it. > > IIRC this was a Sun invention. It was in SunOS 4.x, and may even have > been in SunOS 3.x. When Bill Joy added the "multi-group stuff" to BSD all directories became implicitly set-gid: https://svnweb.freebsd.org/csrg/sys/ufs/ffs/ffs_inode.c?r1=4818&r2=5855 This is in SCCS revision 4.8 so I think it appeared in 4.2BSD As I understand it, when group support was improved in System V they did not change creat() to match BSD but instead used the directory set-gid bit to provide opt-in BSD semantics. I don't know if this was in Solaris or earlier? > > Also, I don't think it's been mentioned, but there's the setuid bit on > > directories - otherwise known as the sticky bit. When set, even if you > > have rights to "write" the directory (meaning, delete files), you can't > > delete those owned by other users. Useful for /tmp > > Also a SunOS invention, IIRC. BSD again :-) SCCS revision 6.6 so I think it appeared in 4.3BSD https://svnweb.freebsd.org/csrg/sys/ufs/ffs/ufs_lookup.c?r1=15809&r2=16046 Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Mull of Galloway to Mull of Kintyre including the Firth of Clyde and North Channel: Variable 1 to 3, becoming easterly or southeasterly 2 to 4 later. Smooth, occasionally slight at first in North Channel. Showers for a time near shore. Good.
On 8/2/2019 4:35 AM, arnold@skeeve.com wrote:
> [Subject line changed]
>
> Hi.
>
> Arthur Krewat <krewat@kilonet.net>:
>> There's also the setgid bit on directories, that when files are created,
>> they will be in the group that the parent directory has on it.
> IIRC this was a Sun invention. It was in SunOS 4.x, and may even have
> been in SunOS 3.x.
>
>> Also, I don't think it's been mentioned, but there's the setuid bit on
>> directories - otherwise known as the sticky bit. When set, even if you
>> have rights to "write" the directory (meaning, delete files), you can't
>> delete those owned by other users. Useful for /tmp
> Also a SunOS invention, IIRC.
>
>> I have no idea what the timeline is for either of these features :)
> Timeline is late 80s, SunOS 4.0, I believe. (Larry? :-)
>
> These ideas later propogated into SVR4 / Solaris, Linux and most (if not all)
> the other proprietary Unixes.
>
Makes a lot of sense. I just fired up my Consensys SVR4.2 VirtualBox
guest, and sure enough, neither the sticky bit, nor setgid work on
directories.
My first commercial experience with UNIX as a consultant was SunOS. I
had worked on Version 6 earlier, but that was purely personal and never
more than messing around with a uVAX a friend had brought home from work.
thanks for the info!
art k.
[-- Attachment #1: Type: text/plain, Size: 655 bytes --] On Fri, Aug 2, 2019 at 4:36 AM <arnold@skeeve.com> wrote: > Arthur Krewat <krewat@kilonet.net>: > > Also, I don't think it's been mentioned, but there's the setuid bit on > > directories - otherwise known as the sticky bit. When set, even if you > > have rights to "write" the directory (meaning, delete files), you can't > > delete those owned by other users. Useful for /tmp > > Also a SunOS invention, IIRC. > Nope, much older. It was a BSDism -- Cory Hall 11/70 actually (V6 originally) - wnj probably, but it may have been somebody like Asa Romberger or Bob Kriddle who were the admins. VAXen distributions picked it up and Sun got it from there. [-- Attachment #2: Type: text/html, Size: 1334 bytes --]
[-- Attachment #1: Type: text/plain, Size: 2336 bytes --] The best I can tell/remember is that groups went through 4 phases: 1.) No groups (earliest UNIX) [ I personally never used this except in the V0 retrocomputing] 2.) First group implementation (Thompson) [My first UNIX introduction was with this implementation] 3.) PWB 1.0 (Mashey version) [then saw this post PWB] 4.) BSD 4.2 (wnj version) [and lived this transistion] Each was a little different in semantics. As Doug mentioned, many sites (like Research) really did not need much and groups were really not used that widely. Thompson added something like the Project number of TOPS and some earlier systems. Truth is, it did not help much IMO. It was useful for grouping things like the binaries and keeping some more privileged programs from having to be setuid root. Mashey added features in PWB, primarily because of the RJE/Front end to the Mainframes and the need to have better protections/collections of certain items. But they still were much more like the DEC PPN, were you were running as a single group (i.e. the tuple UID/GID). This lasted a pretty long time, as it worked reasonably well for larger academic systems, where you had a user and were assigned a group, say for a course or class, you might be talking. If you looked at big 4.1 BSN Vaxen like at Purdue/Penn State, *etc.*, that how they were admin'd. But as Doug said, if you were still a small site, the use of groups was still pretty shallow. But, as part of the CSRG support for DARPA, there was a push from the community to have a list of groups that a user could be a part and you carried that list around in a more general manner. The big sites, in particular, were pushing for this because they were using groups as a major feature. wnj implemented same and it would go out widely in 4.2, although >>by memory<< that was in 4.1B or 4.1C first. It's possible Robert Elz may have brought that to Bill with his quota changes, but frankly I've forgotten. There was a lot of work being done to the FS at that point, much less Kirk's rewrite. But as UNIX went back to workstations, the need for a more general group system dropped away until the advent widely used distributed file systems like CMU's AFS and Sun's NFS. Then the concept of a user being in more than one group became much more de rigeur even on a small machine. Clem [-- Attachment #2: Type: text/html, Size: 3788 bytes --]
isn't Kirk McKusic a member of our group? Guess he can contribute a lot on this issue.
--- Ursprüngliche Nachricht ---
Von: Clem Cole <clemc@ccc.com>
Datum: 02.08.2019 15:28:18
An: Aharon Robbins <arnold@skeeve.com>, Doug McIlroy <doug@cs.dartmouth.edu>
Betreff: Re: [TUHS] Additional groups and additional directory permissions
> The best I can tell/remember is that groups went through 4 phases:
> 1.) No groups (earliest UNIX) [ I personally never used this except in the
>
> V0 retrocomputing]
> 2.) First group implementation (Thompson) [My first UNIX introduction was
>
> with this implementation]
> 3.) PWB 1.0 (Mashey version) [then saw this post PWB]
> 4.) BSD 4.2 (wnj version) [and lived this transistion]
>
> Each was a little different in semantics.
>
> As Doug mentioned, many sites (like Research) really did not need much and
>
> groups were really not used that widely. Thompson added something like
>
> the Project number of TOPS and some earlier systems. Truth is, it did not
>
> help much IMO. It was useful for grouping things like the binaries and
>
> keeping some more privileged programs from having to be setuid root.
>
> Mashey added features in PWB, primarily because of the RJE/Front end to the
>
> Mainframes and the need to have better protections/collections of certain
>
> items. But they still were much more like the DEC PPN, were you were
> running as a single group (i.e. the tuple UID/GID). This lasted a pretty
>
> long time, as it worked reasonably well for larger academic systems, where
>
> you had a user and were assigned a group, say for a course or class, you
>
> might be talking. If you looked at big 4.1 BSN Vaxen like at Purdue/Penn
>
> State, *etc.*, that how they were admin'd. But as Doug said, if you were
>
> still a small site, the use of groups was still pretty shallow.
>
> But, as part of the CSRG support for DARPA, there was a push from the
> community to have a list of groups that a user could be a part and you
> carried that list around in a more general manner. The big sites, in
> particular, were pushing for this because they were using groups as a major
>
> feature. wnj implemented same and it would go out widely in 4.2, although
>
> >>by memory<< that was in 4.1B or 4.1C first. It's possible
> Robert Elz
> may have brought that to Bill with his quota changes, but frankly I've
> forgotten. There was a lot of work being done to the FS at that point,
>
> much less Kirk's rewrite.
>
> But as UNIX went back to workstations, the need for a more general group
>
> system dropped away until the advent widely used distributed file systems
>
> like CMU's AFS and Sun's NFS. Then the concept of a user being in more
> than one group became much more de rigeur even on a small machine.
>
> Clem
>
Thomas Paulsen: isn't Kirk McKusic a member of our group? ==== Kirk is a member of many groups, all at the same time. Norman Wilson Toronto ON
> arnold@skeeve.com <arnold@skeeve.com> wrote: > > Arthur Krewat <krewat@kilonet.net>: > > > There's also the setgid bit on directories, that when files are created, > > > they will be in the group that the parent directory has on it. > > > > IIRC this was a Sun invention. It was in SunOS 4.x, and may even have > > been in SunOS 3.x. Tony Finch <dot@dotat.at> wrote: > When Bill Joy added the "multi-group stuff" to BSD all directories became > implicitly set-gid: Yes. But the commercial world had backwards compatibility to worry about. Thus the setgid bit on directories. I'm no longer sure who first came up with it. > As I understand it, when group support was improved in System V they did > not change creat() to match BSD but instead used the directory set-gid bit > to provide opt-in BSD semantics. I don't know if this was in Solaris or > earlier? Correct, but not sure when it was first done. > > > Also, I don't think it's been mentioned, but there's the setuid bit on > > > directories - otherwise known as the sticky bit. When set, even if you > > > have rights to "write" the directory (meaning, delete files), you can't > > > delete those owned by other users. Useful for /tmp > > > > Also a SunOS invention, IIRC. > > BSD again :-) SCCS revision 6.6 so I think it appeared in 4.3BSD That sounds right. I stand corrected. Thanks, Arnold
> Date: Fri, 2 Aug 2019 09:28:18 -0400
> From: Clem Cole <clemc@ccc.com>
> To: Aharon Robbins <arnold@skeeve.com>, Doug McIlroy <doug@cs.dartmouth.edu>
> Cc: The Eunuchs Hysterical Society <tuhs@tuhs.org>
> Subject: Re: [TUHS] Additional groups and additional directory permissions
>
> The best I can tell/remember is that groups went through 4 phases:
> 1.) No groups (earliest UNIX) [ I personally never used this except in the
> V0 retrocomputing]
> 2.) First group implementation (Thompson) [My first UNIX introduction was
> with this implementation]
> 3.) PWB 1.0 (Mashey version) [then saw this post PWB]
> 4.) BSD 4.2 (wnj version) [and lived this transistion]
>
> Each was a little different in semantics.
>
> As Doug mentioned, many sites (like Research) really did not need much and
> groups were really not used that widely. Thompson added something like
> the Project number of TOPS and some earlier systems. Truth is, it did not
> help much IMO. It was useful for grouping things like the binaries and
> keeping some more privileged programs from having to be setuid root.
>
> Mashey added features in PWB, primarily because of the RJE/Front end to the
> Mainframes and the need to have better protections/collections of certain
> items. But they still were much more like the DEC PPN, were you were
> running as a single group (i.e. the tuple UID/GID). This lasted a pretty
> long time, as it worked reasonably well for larger academic systems, where
> you had a user and were assigned a group, say for a course or class, you
> might be talking. If you looked at big 4.1 BSN Vaxen like at Purdue/Penn
> State, *etc.*, that how they were admin'd. But as Doug said, if you were
> still a small site, the use of groups was still pretty shallow.
>
> But, as part of the CSRG support for DARPA, there was a push from the
> community to have a list of groups that a user could be a part and you
> carried that list around in a more general manner. The big sites, in
> particular, were pushing for this because they were using groups as a major
> feature. wnj implemented same and it would go out widely in 4.2, although
> >>by memory<< that was in 4.1B or 4.1C first. It's possible Robert Elz
> may have brought that to Bill with his quota changes, but frankly I've
> forgotten. There was a lot of work being done to the FS at that point,
> much less Kirk's rewrite.
>
> But as UNIX went back to workstations, the need for a more general group
> system dropped away until the advent widely used distributed file systems
> like CMU's AFS and Sun's NFS. Then the concept of a user being in more
> than one group became much more de rigeur even on a small machine.
>
> Clem
Late to answer...
As far as I remember, Clem's description is correct. The filesystem
itself stores only one owner and one group ID. When checking access
to the file, the file owner is checked to see if the user ID matches.
If so, then the owner permissions are applied. If not then the group
array associated with the user is used to decide if the group of the
file matches one of the groups of which the user is a member and if
so the group permissions apply. Otherwise the other permissions are
used.
In BSD, the group assigned to the file is assigned from the group of
the directory in which it is created. The setgid flag can be set only
if that group is a member of the user's group array. The user can only
change the group ID to one that appears in their group array.
Until multiple group sets were added to System V, the group of the
file was taken from the gid assigned to the user at login.
Kirk McKusick
thanks a lot!
--- Ursprüngliche Nachricht ---
Von: Kirk McKusick <mckusick@mckusick.com>
Datum: 10.08.2019 06:02:51
An: Clem Cole <clemc@ccc.com>
Betreff: Re: [TUHS] Additional groups and additional directory permissions
>
> Late to answer...
>
> As far as I remember, Clem's description is correct. The filesystem
> itself stores only one owner and one group ID. When checking access
> to the file, the file owner is checked to see if the user ID matches.
> If so, then the owner permissions are applied. If not then the group
> array associated with the user is used to decide if the group of the
> file matches one of the groups of which the user is a member and if
> so the group permissions apply. Otherwise the other permissions are
> used.
>
> In BSD, the group assigned to the file is assigned from the group of
> the directory in which it is created. The setgid flag can be set only
> if that group is a member of the user's group array. The user can only
> change the group ID to one that appears in their group array.
>
> Until multiple group sets were added to System V, the group of the
> file was taken from the gid assigned to the user at login.
>
> Kirk McKusick
>