Re: mkdir() and group id

[Paul Jarc]

tb@becket.net (Thomas Bushnell, BSG) wrote:
> Oystein Viggen <oysteivi@tihlde.org> writes:
>> Combined with umask 002 (suggested by yourself), this gives members of
>> the wheel group write access to all files created in /tmp by default, as
>> these files will be writable for group root.
...
> In any case, this is the basic reason why the inherit-group property
> probably should be restricted to
> inherit-only-if-i'm-a-member-of-the-group.

Rather, I'd say this makes a case for SysV behavior: the group id
should be inherited in shared project directories, but not in global
/tmp-style directories.  So some directories can be setgid and others
not.

The restriction you mention would remove useful behavior.  Suppose a
user U is to create files writable by group G, but U is not a member
of G, because G has other access that U should not have.  With the
current inheritance behavior, root can set up a directory accessible
only by U, which contains a world-writable, setgid directory
group-owned by G.  U can create G-group-owned files in the directory
and set appropriate permissions on them, and then move them out to
other parts of the filesystem where members of G can reach them.  We
had a use for this exact behavior just yesterday at work.


paul