A common problem I’ve encountered when setting up Nixos servers for collaboration is 2 issues.
- There’s no default primary group created for a user
- The home folder doesn’t have setgid for this group.
This is the out of the box behavior on debian systems. if your username is ‘alice’:
drwx------ 38 alice alice 4.0K Jul 31 11:01 alice
but on nixos:
drwx------ 38 alice users 4.0K Jul 31 11:01 alice
Due to linux’s security surrounding the setuid bit when user creates a file it will be owned by them and their primary group. If the setgid bit is set then the descending folders/files inherit the group ownership allowing for better user collaboration by adding other users to your user group.
It’s quite painful to configure a nixos system to do this when you already have a lot of data that needs to be migrated.
I resolved this by:
find . -type d -exec chmod 2770 {} +
But this still requires umask on systemd services and sometimes ACLs
So what am I proposing?
- By default create a group for each instance of users.users.$USER
- By default /home/$USER should have the setgid bit set (and the group ownership should be the user group)
- some systemd services like syncthing should have a default umask of 0007