Re: [tlug] Feisty Upgrade, USB issues and other oddities

["Stephen J. Turnbull" <stephen@example.com>]

Dave M G writes:

 > 1. There is no "plugdev" group listed in the GUI. Does that mean the GUI 
 > can't see it for some reason, or that I don't have it. In the latter 
 > case, do I need to make one, or is it an indication that my system has 
 > some other way of handling what "plugdev" would do otherwise?

A system like Ubuntu will make the plugdev group for you if you need
it, either at system setup (aka upgrade) time or when you install a
package that depends on it a plugdev group.  If it is a typical user
app, then normally the plugdev group would have all normal users added
to it automatically at creation (by convention, system users have uid
< 1000, the rest are normal users).

Failure to do so would be a bug.  You may have encountered a bug.
Count the legs and the number of eyes.  If #LEGS > 4 and #EYES >=8,
you have encountered a bug.  (Sorry for the little joke, but I don't
have any useful information, you'll need to get that from an Ubuntu
user.)

 > 2. Browsing around the groups, I notice that I'm not listed as a member 
 > in almost any of them. My computer is a single user system, my initial 
 > instinct is that there should not be anything on my computer that I'm 
 > not allowed to do. Or am I held back from access to some groups for 
 > security or stability reasons?

Both.  *You*, the human user, have the root password (and if not, you
have physical access to the boot media, which is even more powerful),
and as such are allowed to do anything.  Your Unix user is far more
restricted, but it should be able to do anything you want to do in
your daily work.

Most users and groups are created not to *allow* human users to do
something, but to *restrict* the power of automatic programs to do
*only* that something.  So if you have a "ldap" user which is a member
of the "ldap" group, then the "slapd" program will be made suid ldap,
and it can only write files which have ldap user write permission, or
ldap group write permission, or world write permission.  Thus, to know
that your personal files are safe from the daemonic slapd, you only
need to check that your uid and gid own them, and that the world write
bit is off.

Typically you will find that files owned by ldap:ldap are restricted
to a small hierarchy like /var/db/ldap, but often is may be useful for
something like ~/public_html/upload/ to be owned by dave:www-data
(that's the webserver user and group for Debian, YMMV), with
permissions drwxrwxr-w.  (Then you'll use .htaccess to further
restrict access in that directory.  You know that drill, right?  But
for .htaccess to be able to allow PUTs to that directory, it needs to
be +w for www-data.)

 > I also notice that "root", the only other user in my system, is not
 > a member of any groups either.

It doesn't need to be.