Softpanorama

Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
May the source be with you, but remember the KISS principle ;-)
Bigger doesn't imply better. Bigger often is a sign of obesity, of lost control, of overcomplexity, of cancerous cells

Primary Group

News Authentication Recommended Links The /etc/group file Unix permissions model UID policy
System Groups Primary Group Wheel Group User Private Groups Managing user accounts in Perl Solaris RBAC
Admin Horror Stories System Accounts Unix History  Humor Humor Etc

Every UNIX user belongs to one or more groups. Like user accounts, groups have both a groupname and a group identification number (GID). GID values are also historically 16-bit or on 64 bit system 32 bit integers. Every UNIX user is member of at least one group. This primary group is listed in the file /etc/passwd

Groups are roles in disguise but with insufficient flexibility. One group is assigned by the system administrator when a user account is created. This group is called a single primary group and it is stored in the /etc/passwd file. It is prudent to make the GID of the user's primary group equal to the user's UID. Primary group isused when the user or process creates a file and the directory does not have sticky bit.

This is the modern way to administer primary groups in Unix is to have each user belong own primary group (with GID equal to UID).  I think this was pioneered by Red Hat which calls concept  User Private Groups A User Private Group (UPG) allows for a fine granularity of group permissions what can be assigned via secondary groups and leads to tighter and simpler  security model.

The value of primary group is mainly in the fact that new files are created with GID equal to the user primary group. By using the newgrp command it is possible to change your primary group.

The first and third fields in /etc/group lists the group name and group identifier (GID) respectively. The last field may list the users who make up the group.

Buit a better way to assign correct group to newly created files is to use the Set Group IDentifier (SGID). The SGID bit is less frequently used than the SUID bit, but is vitally important when it is used. For example under SunOS, the df command needs to read the superblock information for a partition yet it is undesirable to grant read access directly to the particular device (see the file permissions for /usr/bin/df

ls -ldg /dev/sd0a
brw-r-----  1 root     operator   7,   0 Sep 10  1992 /dev/sd0a

ls -lg /usr/bin/df
-rwxr-sr-x  1 root     operator     8848 Jul 23  1992 /usr/bin/df

Another example is the command lpr which places the files for printing in a spool directory and the command lpd, periodically checks the spool directory and prints out what is there. The spooling directory does not have world read or write access but does have the same GID as the programs that access it i.e. lpr, lpd, lpq, lpc thus all users may print their files without the risk of mischievous users interfering with their files whilst on the spool queue. To enable/disable the SGID bit use chmod g+s file or chmod g-s file respectively.

During a session it is sometime necessary to change the primary  group using the newgrp command (parallels the su command). Normally, the group identifier of a file is derived from the group identifier of the parent directory the file is created in. The chgrp command (parallels the chown command) enables the group identifier of a file to be changed to another value from the group access list. The following sequence demonstrates the use of these commands.

Note: that the newgrp effectively creates a new sub-shell which is terminated by a ^D character (or exit).

Changing primary group

Under versions of AT&T UNIX before SVR4, a user has just one primary group all the time. To change your current primary group, you must use the newgrp command. The newgrp command takes a single argument: the name of the group that you're attempting to change into. If the newgrp command succeeds, it execs a shell that has a different GID, but the same UID:

newgrp news

This is similar to the su command used to change UID.

Usually, you'll want to change into only these groups in which you're already a member; that is, groups that have your username mentioned on their line in the /etc/group file.

However, the newgrp command also allows you to change into a group of which you're not normally a member. For this purpose, UNIX uses the group password field of the /etc/group file. If you try to change into a group of which you're not a member, the newgrp command will prompt you for that group's password. If the password you type agrees with the password for the group stored in the /etc/group file, the newgrp command temporarily puts you into the group by spawning a subshell with that group:

newgrp fiction 
password: rates34 

Now you primary group became fiction.

The password in the /etc/group file is interpreted exactly like the passwords in the /etc/passwd file, including salts. However, most systems do not have a program to install or change the passwords in this file. To set a group password, you must first assign it to a user with the passwd command, then use a text editor to copy the encrypted password out of the /etc/passwd file and into the /etc/group file. Alternatively, you can encode the password using the /usr/lib/makekey program (if present) and edit the result into the /etc/group file in the appropriate place.

We suspect that passwords have seldom been used in the group file. Otherwise, by now someone would have developed an easier, one-step method of updating the passwords. UNIX gurus tend to write tools for anything they have to do more than twice and that require more than a few simple steps. Updating passwords in the group file is an obvious candidate, but a corresponding tool has not been developed. Ergo, the operation must not be common.

Some versions of UNIX, such as AIX, do not support group passwords.

One of the many enhancements that the Berkeley group made to the UNIX operating system was to allow users to reside in more than one group at a time. When a user logs in to a Berkeley UNIX system, the program /bin/login scans the entire /etc/group file and places the user into all of the groups in which that user is listed. The user is also placed in the primary group listed in the user's /etc/passwd file entry. When the system needs to determine access rights to something based on the user's membership in a group, it checks all the current groups for the user to determine if that access should be granted (or denied). If you are on a system that uses NIS, NIS+ or some other system for managing user accounts throughout a network, these network databases will be referenced as well.

Thus, Berkeley and SVR4 UNIX have no obvious need for the newgrp command - indeed, many of the versions do not include it. However, there may be a need for it in some cases. If you have a group entry with no users listed but a valid password field, you might want to have some users run the newgrp program to enter that group. This action will be logged in the audit files, and can be used for accounting or activity tracking. However, situations where you might want to use this are likely to be rare. Note, however, that some systems, including AIX, do not support use of a password in the /etc/group file, although they may allow use of the newgrp command to change primary group.

During a session it is sometime necessary to change the current group using the newgrp command (parallels the su command). Normally, the group identifier of a file is derived from the group identifier of the parent directory the file is created in. The chgrp command (parallels the chown command) enables the group identifier of a file to be changed to another value from the group access list. The following sequence demonstrates the use of these commands.

% ypcat group | \
grep `ypmatch $USER passwd | awk -F: '/^'"$USER"':/ {print $4}'` | \
awk -F: '{printf "User %s has a GID of %d (%s)\n", "'$USER'", $3, $1}'
User lgm has a GID of 6761 (eestaff)
 
% ypmatch $USER passwd
lgm:zBnH9NHgtlq72:10287:6761:Mr Liam G. Madden:/ee/u5/staff/lgm:/bin/csh

% ypcat group | grep ':6761:'
eestaff:*:6761:

% groups
eestaff webadmin dspstaff ee1pg19 ee1pg14 orcad ee3a1
 
setup % cat > gid.c
/* The following program lists the groups that a user is a member off
    (similar to the groups command).
*/
#include &ltstdio.h>
 
#include &ltsys/param.h>
             /* NGROUPS */
/* Note: to compile under Solaris change all instances of NGROUPS to NGROUPS_MAX
and include limits.h */
void main()
{
   int i, n, groups[NGROUPS];
  
/* Note: the equivalent setgroups() call is a root level command */
  
  if ( (n = getgroups(NGROUPS, &groups[0])) == -1 ) 
 
     fprintf(stderr, "Unable to discover the group-ids for this account\n");
  else {
     fprintf(stdout, "Group-ids for this account are: ");
     for (i=0; i < n; i++)
     fprintf(stdout, (i+1 == n) ? "%d\n" : "%d ", groups[i]);
     }
} /* main */

% acc -o DEMO gid.c

% DEMO
Group-ids for this account are: 6761 17 15 19 21 16 18
 
% touch a ; ls -lg ? 
rw-------  1 lgm      eestaff         0 Feb 23 15:08 a
 
% newgrp dspstaff
 
% touch b ; ls -lg ? 
rw-------  1 lgm      eestaff         0 Feb 23 15:08 a
rw-------  1 lgm      dspstaff        0 Feb 23 15:08 b
 
% chgrp dspstaff a ; ls -lg ?
rw-------  1 lgm      dspstaff        0 Feb 23 15:08 a
rw-------  1 lgm      dspstaff        0 Feb 23 15:08 b
 
% newgrp staff
newgrp: Password: ********
newgrp: Sorry
 
% exit 



Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haterís Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2018 by Dr. Nikolai Bezroukov. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

 

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: September 12, 2017