Skip to content

Debian compatible disk permissions & UPG support (migrate LDAP to standard usergroup setup)

(Full reasoning below)

Basic trick: "when each user is in their own (private) group, the given group permissions on created files (umask) are moot until you write into a set-group-id directory."

I manually evaluated and tested this in a test install as far as I could, please help with fixing this in the appropriate freedombox tools.

(For testing, a script is available to create group directories: $518)

This lists the changes needed to make the freedombox LDAP users compatible with the debian standards (and thus the common unix concept of user-private-groups or "pam_umask usergroups" in general):

  • UPG scheme for newly created LDAP users (see two modified functions for /usr/share/plinth/actions/users below)

  • configuration to work around vorlon/pam!3 (merged) (still broken pam_umask defaults): echo "session optional pam_umask.so usergroups" >> /etc/pam.d/common-session

  • Migrating pre-existing LDAP users:

    1. create a group named as the user

      Note: Arranging for GUI==UID for UPGs is not mandatory, but would still provide some benefits, see https://wiki.debian.org/UserPrivateGroups#UPGs

    2. set new group as the users' primary group

      • Either with a new /usr/share/plinth/actions/users **set-user-primary-group** command
        or, just by ad-hoc ldapsetprimarygroup calls

    3. re-add user to group "users", in case the previous step dropped the membership completely


  • bugfix: The group adjustments in the previous item are not visible in plinth, and get overwritten again when saving the plinth config page (probably same reason and fix as in #1242).



Reasoning

The current LDAP user scheme, that replaces instead of builds upon the default debian scheme, causes multiple issues.

[NAS Example: Permission problems when moving storage directories between local machines and NAS storage, e.g. on external backup drives that are attachable at all places (NAS included). Or if using both network LDAP accounts and local accounts on the clients.]

  • The on-disk (e.g. /home) user data stored on filesystems with unix-permissions can't be directly used in standard debian systems. (no direct mapping, even if IDs match)

    • Irregularities when mounting a disk or share from a freedombox in a regular debian.

  • The current LDAP scheme does not support to set up group collaboration directories according to debian's user-private-group (UPG) scheme.

  • When client machines are set up to authenticate against a freedombox, the users can't participate in local file collaboration on the client machine either (no "usergroup" umask adjusment, even with the workaround for the current bug https://wiki.debian.org/UserPrivateGroups)

    • Not getting the upg umask on the client.
    • Irregularities whithin different user's data's permissions.

  • The LDAP scheme is simply incompatible to debian's default user-private-group scheme. https://wiki.debian.org/FreedomBox/Configs/LDAP The primary group of freedombox LDAP users is not their user private group as on debian systems. Instead, each user is explicitly assigned to the group "users".

(A detailed example of an LDAP user with an UPG, and using the standared adduser tools to create compliant local users: https://docs.oracle.com/en/operating-systems/oracle-linux/7/admin/ol7-adduser-ldap.html)

Edited by Q.-A. Nick