|Home||Switchboard||Unix Administration||Red Hat||TCP/IP Networks||Neoliberalism||Toxic Managers|
May the source be with you, but remember the KISS principle ;-)
Bigger doesn't imply better. Bigger often is a sign of obesity, of lost control, of overcomplexity, of cancerous cells
|News||Authentication||Recommended Links||The /etc/group file||Unix permissions model||UID policy|
|System Groups||Primary Group||Wheel Group||User Private Groups||Managing user accounts in Perl||Solaris RBAC|
|Admin Horror Stories||System Accounts||Unix History||Groups administration tutorial||Humor||Etc|
The /etc/group file contains the database that lists every group on your computer and its corresponding GID. Its format is similar to the format used by the /etc/passwd file. Here is an /etc/group file from RHEL 5.5:
# cat /etc/group root:x:0:root bin:x:1:root,bin,daemon daemon:x:2:root,bin,daemon sys:x:3:root,bin,adm adm:x:4:root,adm,daemon tty:x:5: disk:x:6:root lp:x:7:daemon,lp mem:x:8: kmem:x:9: wheel:x:10:root,joeadmin mail:x:12:mail news:x:13:news uucp:x:14:uucp man:x:15: games:x:20: gopher:x:30: dip:x:40: ftp:x:50: lock:x:54: nobody:x:99: users:x:100: nscd:x:28: floppy:x:19: vcsa:x:69: audio:x:63:gdm utmp:x:22: rpc:x:32: mailnull:x:47: smmsp:x:51: pcap:x:77: utempter:x:35: slocate:x:21: ntp:x:38: sshd:x:74: rpcuser:x:29: nfsnobody:x:4294967294: dbus:x:81: avahi:x:70: haldaemon:x:68: avahi-autoipd:x:101: distcache:x:94: apache:x:48: webalizer:x:67: squid:x:23: oprofile:x:16: xfs:x:43: gdm:x:42: sabayon:x:86: stapdev:x:102: stapusr:x:103: screen:x:84: joeadmin:x:324547: dba:x:5001:oracle oinstall:x:5002:oracle ovwebgrp:x:5003: opcgrp:x:78:
Here is a sample /etc/group like that defines the group wheel
Like /etc/passwd the /etc/group is an ASCII file. Each record appears on a single line and is the following format:
The group name
The group's "password". In modern Unixes this field is not used, but functionality is preserved creating a security hole. Every group can have administrator (typically the user for whom this group is primary), members and a password. See gpasswd. System administrator can use -A option to define group administrator(s) and -M option to define members and has all rights of group administrators and members.
Group passwords are an inherent security problem since more than one person is permitted to know the password. However, groups are a useful tool for permitting co-operation between different users.
newgrp command can be used to change the current primary group ID of the use during the current session. If the optional - flag is given, the user's environment will be reinitialized as though the user had logged in, otherwise the current environment, including current working directory, remains unchanged.
The group's GID
The list of the users who are in the group
The groups command displays group memberships for the user. The command format for the groups command is:
For example, to see which groups you are a member of, perform the command groups
To list the groups to which a specific user is a member, use the groupscommand with the user’s name, such as user5, as an argument.
Several groups are called system groups and are used for the partitioning file space on binary files, system files like drivers and so on. In Red Hat there are four such groups, although Red hat does not use group bin as a primary group for executables (but many installed on Red Hat commercial application do that)
bin:x:1:root,bin,daemon daemon:x:2:root,bin,daemon sys:x:3:root,bin,adm adm:x:4:root,adm,daemon
Generally Red Hat is using the idea of User Private Groups so the number of groups in initial install in much larger then in older Unixes like Solaris, AIX or HP-UX. For example, HP-UX /etc/group file is pretty minimalistic:
root::0:root other::1:root,hpdb bin::2:root,bin sys::3:root,uucp adm::4:root,adm daemon::5:root,daemon mail::6:root lp::7:root,lp tty::10: nuucp::11:nuucp users::20:root nogroup:*:-2: smbnull::101: cimsrvr::102: sshd::103: hpsmh::104: dba::500: oinstall::501:oracle tftp::105: log::333:
For Linux with kernel 2.6.3+ each user can belong to 64K groups. On Solaris each user can also belong to up to 15 additional groups, known as secondary groups.
The following is an example of the Solaris /etc/group file:
root::0:root other::1: bin::2:root,bin,daemon sys::3:root,bin,sys,adm adm::4:root,adm,daemon uucp::5:root,uucp mail::6:root tty::7:root,adm lp::8:root,lp,adm nuucp::9:root,nuucp staff::10: daemon::12:root,daemon sysadmin::14: smmsp::25:smmsp nobody::60001: noaccess::60002: nogroup::65534:
In Solaris GID numbers 0 to 99, 60001, 60002 and 65534 are reserved for system group entries. User defined groups range from 100 to 60000. The maximum number of group members is set by the kernel parameter called ngroups_max. You can set this parameter in the /etc/system file to allow for a maximum of 32 groups. Not all applications will be able to reference group memberships greater than 16. NFS is a notable example.
Generally like with ports the lower the number the more powerful group is. Groups such as bin, adm, daemon and sys are often called System Groups. The most powerless groups is called nobody, nogroup and nfsnobody. User and group nobody typically do not own any files at all. It GID is usually the highest number supported by particular OS. It is often defined as negative number (meaning subtract 1 from max GID), for example
In is prudent to use the wheel group for the set of server system administrators, who can switch to root. It can be provided with additional powers using PAM. Typically only members of this group can su to root. See Wheel Group
The other potentially useful trick is to assign group for files that are often edited by sysadmins to wheel. In this case editing of system files (typically owned by group root in linux) can be done from sysadmin private account, without switching to root. There is a certain danger here as access control to those file now is spread amount members of wheel group, so using sudo is a better solution. Please note that using sudo entails the same problem; the only important difference is that sudo provides additional logs.
While you can edit /etc/groups directly via vi or other editor there are special commands that permit adding groups, deleting groups and modifying group membership in this file.
User ID and group ID differences
There are differences in the UIDs and GIDs used for the various users defined on the system by default. Table 11-1 lists UID differences. Table 11-2 lists the GID differences.
User Solaris UID:GID Red Hat UID:GID SUSE UID:GID Comment root 0:1 0:0 0:0 Superuser daemon 1:1 2:2 2:2 N/A bin 2:2 1:1 1:1 N/A sys 3:3 N/A N/A N/A adm 4:4 3:4 N/A Admin uucp 5:5 10:14 10:14 uucp admin nuucp 9:9 N/A N/A uucp admin smmsp 25:25 51:51 N/A SendMail Message Submission Program listen 37:4 N/A N/A Network admin lp 71:8 4:7 4:7 Line printer admin nobody 60001:60001 99:99 65534:65533 Nobody noaccess 60002:60002 N/A N/A No access user nobody4 65534:65534 N/A N/A SunOS™ 4.x Nobody sync N/A 5:0 N/A shutdown N/A 6:0 N/A halt N/A 7:0 N/A N/A 8:12 8:12 news N/A 9:13 9:13 operator N/A 11:0 N/A games N/A 12:100 12:100 gopher N/A 13:30 N/A man N/A N/A 13:62 Man pages viewer ftp N/A 14:50 40:49 FTP user squid N/A 23:23 31:65534 Squid proxy server pvm N/A 24:24 N/A Parallel processing pkg named N/A 25:25 44:44 at N/A N/A 25:25 Batch daemon postgres N/A 26:26 26:26 PostgreSQL server mysql N/A 27:27 60:2 mySQL server ncsd N/A 28:28 N/A ncsd daemon mdom N/A N/A 28:28 Mailing list agent rpcuser N/A 29:29 N/A RPC service user wwwrun N/A N/A 30:8 WWW daemon Apache rpc N/A 32:32 N/A Portmapper™ RPC user amanda N/A 33:6 37:6 Amanada backup suite netdump N/A 34:34 104:104 netdump rpm N/A 37:37 N/A Package manager ntp N/A 38:38 74:65534 canna N/A 39:39 N/A Canna service users irc N/A N/A 39:65534 IRC daemon mailman N/A 41:41 72:67 GNU mailing list mgr gdm N/A 42:42 50:15 GNOME desktop xfs N/A 43:43 N/A X11 Font Server mailnull N/A 47:47 N/A apache N/A 48:48 N/A Apache wnn N/A 49:49 N/A Wnn input server ldap N/A 55:55 76:70 LDAP user vscan N/A N/A 65:103 Virus scanner webalizer N/A 67:67 N/A Webalizer pop N/A N/A 67:100 POP server haldaemon N/A 68:68 N/A HAL daemon vcsa N/A 69:69 N/A Virtual console memory owner snort N/A N/A 73:68 Snort network monitor sshd N/A 74:74 71:65 Privilege-separated SSH radvd N/A 75:75 N/A Router advertisement daemon cyrus N/A 76:12 96:12 Cyrus IMAP server pcap N/A 77:77 N/A Network monitor user fax N/A 78:78 N/A mgetty fax spool dbus N/A 81:81 N/A System message bus postfix N/A 89:89 51:51 Mail server quagga N/A 92:92 101:101 Quagga routing suite exim N/A 93:93 N/A Spam/virus pkg radiusd N/A 95:95 102:102 Radius user dovecot N/A 97:97 N/A IMAP/POP3 server ident N/A 98:98 N/A htt N/A 100:101 N/A IIIMF Htt stunnel N/A N/A 100:65534 SSL tunnel daemon dhcpd N/A N/A 103:65534 DHCP daemon nfsnobody N/A 65534:65534 N/A
User ID differences
Table 11-2 Group ID differences
Group Solaris Red Hat SUSE root 0 0 0 other 1 N/A N/A bin 2 1 1 sys 3 3 3 adm 4 4 N/A uucp 5 14 14 6 12 12 tty 7 5 5 lp 8 8 7 nuucp 9 N/A N/A staff 10 N/A N/A daemon 12 2 2 sysadmin 14 N/A N/A smmsp 25 N/A N/A nobody 60001 99 65533 noaccess 60002 N/A N/A nogroup 65534 N/A 65534 disk N/A 6 6 mem N/A 8 N/A www N/A N/A 8 kmem N/A 9 9 wheel N/A 10 10 news N/A 13 13 man N/A 15 N/A shadow N/A N/A 15 dialout N/A N/A 16 audio N/A N/A 17 floppy N/A 19 19 games N/A 20 40 cdrom N/A N/A 20 slocate N/A 21 N/A console N/A N/A 21 utmp N/A 22 22 squid N/A 23 N/A pvm N/A 24 N/A named N/A 25 44 at N/A N/A 25 postgres N/A 26 26 mysql N/A 27 N/A nscd N/A 28 N/A mdom N/A N/A 28 rpcuser N/A 29 N/A gopher N/A 30 N/A rpc N/A 32 N/A public N/A N/A 32 video N/A N/A 33 netdump N/A 34 N/A rpm N/A 37 N/A ntp N/A 38 N/A canna N/A 39 N/A dip N/A 40 N/A mailman N/A 41 67 xok N/A N/A 41 gdm N/A 42 N/A trusted N/A N/A 42 xfs N/A 43 N/A modem N/A N/A 43 mailnull N/A 47 N/A apache N/A 48 N/A wnn N/A 49 N/A ftp N/A 50 49 smmsp N/A 51 N/A lock N/A 54 N/A ldap N/A 55 70 maildrop N/A N/A 59 man N/A N/A 62 pkcs11 N/A N/A 64 sshd N/A N/A 65 webalizer N/A 67 N/A haldaemon N/A 68 N/A snort N/A N/A 68 vcsa N/A 69 N/A ntadmin N/A N/A 71 sshd N/A 74 N/A radvd N/A 75 N/A pcap N/A 77 N/A fax N/A 78 N/A dbus N/A 81 N/A postfix N/A 89 51 postdrop N/A 90 N/A quagga N/A 92 101 exim N/A 93 N/A radiusd N/A 95 102 dovecot N/A 97 N/A ident N/A 98 N/A users N/A 100 100 htt N/A 101 N/A quaggavt N/A 102 N/A vscan N/A N/A 103 dump N/A N/A 104 nfsnobody N/A 65534 N/A
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least
Copyright © 1996-2018 by Dr. Nikolai Bezroukov. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info|
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: September 12, 2017