Softpanorama

Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
May the source be with you, but remember the KISS principle ;-)
Bigger doesn't imply better. Bigger often is a sign of obesity, of lost control, of overcomplexity, of cancerous cells

Groups administration tutorial

News Unix permissions model Recommended Links The /etc/group file Groups administration tutorial UID policy
System Groups Primary Group Wheel Group User Private Groups Managing user accounts in Perl
System Accounts Solaris RBAC Unix History Admin Horror Stories Humor Etc

The preservation of identity that was mentioned as a desired property of a security policy for a distributed environment. This is applicable both to user IDs and to group IDs. Here is a system design that addresses both of these problems.

  1. Two domains scheme:
  2. Users should be assigned upon user creation, a User Private Group (UPG) which is a unique group ID of the same name as the user ID. This allows for a fine atomic level of group permissions to be assigned for tighter and simpler default security.

There are multiple commands that access or change group information

There are also several "exotic" commands:

File, Directory and Device permissions:

Modification of file, directory and device access is achieved with the chmod command.

Permissions may be viewed by issuing the command: ls -l file-name

Groups and group members:

Users are members of a default group. Red Hat Linux will add new users to a group of the same group name as the user name. The default group is specified in the file /etc/passwd

user-name:x:user-number:group-number:comment section:/home-directory:default-shell

user1:x:500:500:Greg:/home/user1:/bin/bash
The user id has a user system number associated with it and this is defined in /etc/passwd. The group has a group system number associated with it and this is defined in /etc/group
group-name:x:group-number:user1,user2
user1:x:500:
user2:x:501:
floppy:x:19:user1
accounting:x:600:user2
apache:x:48:
User "user1" is a member of default group "user1" and also a member of group "floppy".

Group Commands:

If using NIS, view the groups using the command: ypcat group

Switching your default group:

Use the command newgrp group-name to switch your default used in file creation or directory access. This starts a new shell. Exit to return to the previous group id. Use the ps command to see if more than one shell is active.

For example "user2" would like to create a file in the accounting directory which can be read my members of his group. First switch the default group with the command: newgrp accounting

To return to your default group issue the "exit" command. If confused, issue the "ps" command. There should only be one instance of bash, else you are in the alternate group and not the default group.

Use the command newgrp group-name file-name to change the group associated with a file. You must be a member of the group to execute the command sucessfully. (or be root)

The newgrp command logs a user into a new group by changing a user's real and effective group ID. The user remains logged in and the current directory is unchanged. The execution of newgrp always replaces the current shell with a new shell, even if the command terminates with an error (unknown group).

Any variable that is not exported is reset to null or its default value. Exported variables retain their values. System variables (such as PS1, USER, PATH and HOME), are reset to default values unless they have been exported by the system or the user.

With no operands and options, newgrp changes the user's group IDs (real and effective) back to the group specified in the user's password file entry. This is a way to exit the effect of an earlier newgrp command.

A password is demanded if the group has a password and the user is not listed in /etc/group as being a member of that group. The only way to create a password for a group is to use passwd(1), then cut and paste the password from /etc/shadow to /etc/group. Group passwords are antiquated and not often used.

Gives new login as if logged in as group member: newgrp -

Changing group ownership:

If the user creates a file, the default group association is the group id of user. If he wishes to change it to another group of which he is a member issue the command: chgrp new-group-id file-name

If the user is not a member of the group then a password is required.

Default user groups:

Users are assigned upon user creation, a User Private Group (UPG) which is a unique group ID of the same name as the user ID. This allows for a fine atomic level of group permissions to be assigned for tighter and simpler default security.

Pre-Configured system groups:

The typical Linux installation will come with two dozens existing standard groups: (See /etc/group)

Group ID GID
root 0
bin 1
daemon 2
sys 3
adm 4
tty 5
disk 6
lp 7
mem 8
kmem 9
wheel 10
mail 12
man 15
floppy 19
named 25
rpm 37
xfs 43
apache 48
ftp 50
lock 54
sshd 74
nobody 99
users 100

This is only a partial listing of the default groups. There will also be a default set of member user ID's associated with most of the groups.

Grant use of a device to system users:

The first example will be of granting access to a device, the CD-ROM. This is generally not done for regular users on a server. Server access to a CD-ROM is limited to root by default. (This example may also be applied to the diskette. Group: floppy, first floppy device: /dev/fd0)

  1. Grant mount privileges to system users
  2. Create group cdrom .
  3. Allow use of device by group cdrom .
  4. Add user to group cdrom .
  5. Grant privileges to system users to mount the device: For more information see the man pages for mount and fstab.

  6. Create group cdrom : For more information see the man pages for groupadd, groupmod and groupdel.

  7. Allow use of device by group cdrom .

  8. Add user to group cdrom : At this point, adding users to the group cdrom will grant them access to the device.

OR for a completely different method that steps 1 to 4, use the one step approach:

Using CD-ROM:

You must mount and un-mount each CD-ROM individually. Do not switch CDs without un-mounting and re-mounting the new CD. (The GNOME desktop interface has features to do this for you. Covered later)

Command method:

Note: Only root user may execute the mount command. Users must use the tool usermount.

Desktop GUI method:

After mounting the CD-ROM one can view its contents from the directory /mnt/cdrom.

OR

Group Verification

Check the group membership of a user: groups user-id

This will list all the groups to which user-id is a member.

Verification Commands:

Recommended Links

Google matched content

Softpanorama Recommended

Top articles

Sites



Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haterís Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D


Copyright © 1996-2018 by Dr. Nikolai Bezroukov. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: September, 12, 2017