Groups administration tutorial

The preservation of identity that was mentioned as a desired property of a security policy for a distributed environment. This is applicable both to user IDs and to group IDs. Here is a system design that addresses both of these problems.

1. Two domains scheme:
   • high security for all system (owned by root programs) by using special filesystem or write protected filesystem /usr/sbin, /usr/bin
   • Everything else.
2. Users should be assigned upon user creation, a User Private Group (UPG) which is a unique group ID of the same name as the user ID. This allows for a fine atomic level of group permissions to be assigned for tighter and simpler default security.

There are multiple commands that access or change group information

• useradd: Create a new user or update default new user information
• usermod: Modify a user account
• userdel: Delete a user account and related files
• chage: change user password expiration date
• id -- Use this command to display groups to which a user belongs.

There are also several "exotic" commands:

• pwconv: convert to and from shadow passwords and groups.
• pwunconv: convert to and from shadow passwords and groups.
• grpconv: creates gshadow from group and an optionally existing gshadow
• grpunconv: creates group from group and gshadow and then removes gshadow

File, Directory and Device permissions:

Modification of file, directory and device access is achieved with the chmod command.

• Grant read permissions to a file which you own so that everyone may read it:
  chmod ugo+r file-name
• Grant read permissions on a directory:
  chmod ugo+rx directory-name
  Note that "execute" permission is required in order to read a directory.
• Deny read access to a file by everyone except yourself:
  chmod o-r file-name
• Allow everyone in your group to be able to modify the file:
  chmod 660 file-name
  See chmod man page for more info.

Permissions may be viewed by issuing the command: ls -l file-name

• File can be written by yourself and members of the group. Others may only view it.
  -rw-rw-r-- user group file-size date file-name
• Directory is completely open for read/write:
  drwxrwxrwx user group file-size date directory-name
• File can only be accessed by owner (user):
  -rwx------ user group file-size date file-name

Groups and group members:

Users are members of a default group. Red Hat Linux will add new users to a group of the same group name as the user name. The default group is specified in the file /etc/passwd

user-name:x:user-number:group-number:comment section:/home-directory:default-shell

user1:x:500:500:Greg:/home/user1:/bin/bash

group-name:x:group-number:user1,user2
user1:x:500:
user2:x:501:
floppy:x:19:user1
accounting:x:600:user2
apache:x:48:

Group Commands:

• gpasswd: administer the /etc/group file
• groupadd: Create a new group
• groupmod: Modify a group
• groupdel: Delete a new group

If using NIS, view the groups using the command: ypcat group

Switching your default group:

Use the command newgrp group-name to switch your default used in file creation or directory access. This starts a new shell. Exit to return to the previous group id. Use the ps command to see if more than one shell is active.

For example "user2" would like to create a file in the accounting directory which can be read my members of his group. First switch the default group with the command: newgrp accounting

To return to your default group issue the "exit" command. If confused, issue the "ps" command. There should only be one instance of bash, else you are in the alternate group and not the default group.

Use the command newgrp group-name file-name to change the group associated with a file. You must be a member of the group to execute the command sucessfully. (or be root)

The newgrp command logs a user into a new group by changing a user's real and effective group ID. The user remains logged in and the current directory is unchanged. The execution of newgrp always replaces the current shell with a new shell, even if the command terminates with an error (unknown group).

Any variable that is not exported is reset to null or its default value. Exported variables retain their values. System variables (such as PS1, USER, PATH and HOME), are reset to default values unless they have been exported by the system or the user.

With no operands and options, newgrp changes the user's group IDs (real and effective) back to the group specified in the user's password file entry. This is a way to exit the effect of an earlier newgrp command.

A password is demanded if the group has a password and the user is not listed in /etc/group as being a member of that group. The only way to create a password for a group is to use passwd(1), then cut and paste the password from /etc/shadow to /etc/group. Group passwords are antiquated and not often used.

Gives new login as if logged in as group member: newgrp -

Changing group ownership:

If the user creates a file, the default group association is the group id of user. If he wishes to change it to another group of which he is a member issue the command: chgrp new-group-id file-name

If the user is not a member of the group then a password is required.

Default user groups:

Users are assigned upon user creation, a User Private Group (UPG) which is a unique group ID of the same name as the user ID. This allows for a fine atomic level of group permissions to be assigned for tighter and simpler default security.

Pre-Configured system groups:

The typical Linux installation will come with two dozens existing standard groups: (See /etc/group)

This is only a partial listing of the default groups. There will also be a default set of member user ID's associated with most of the groups.

Grant use of a device to system users:

The first example will be of granting access to a device, the CD-ROM. This is generally not done for regular users on a server. Server access to a CD-ROM is limited to root by default. (This example may also be applied to the diskette. Group: floppy, first floppy device: /dev/fd0)

1. Grant mount privileges to system users
2. Create group cdrom .
3. Allow use of device by group cdrom .
4. Add user to group cdrom .
5. Grant privileges to system users to mount the device:
   • Manual method: This requires a change to the file /etc/fstab.The fourth column defines mounting options. By default only root may mount the device (option owner ). To grant users the ability to mount the device, change the owner option to user . With the user option only the user who mounted the device can unmount the device. To allow anyone to unmount the device, use the option users .
   • Linuxconf GUI method: (Note: Linuxconf is no longer included with Red Hat Linux 7.3 and later)
     • RH 5.2: Start + Programs + Administration + Linuxconf .
     • RH 6.0: Select Gnome Start icon + System + Linuxconf .
     • Select Config + File systems + Access local drive .
     • Select the device /dev/cdrom
     • Select the tab Options .
     • Add the option User mountable to allow users to mount the CD-ROM. The user who mounted the CD must also be the one to unmount the CD. OR Select the tab Misc. and add to Other options: users if you want to allow anyone to be able to unmount the CD regardless of who mounted it.
   For more information see the man pages for mount and fstab.

6. Create group cdrom :
   • Manual method:
     • Add the line cdrom::<unique group number>:root,<userid> to the file /etc/group where <user id> is the user to be granted use of the CD-ROM. (For example: cdrom::25:root,user1")
       OR
     • Add a group with the command: groupadd <group name> in this case groupadd cdrom .
   • Linuxconf GUI method: (Admin tool linuxconf is no longer included with Red Hat 7.3+.)
     • Start linuxconf.
     • Select Config + User Accounts + Normal + Group Definitions + Add .
     • Group Name: cdrom
     • Alternate Members (opt): root <user name> : (Add space delimited user ids here)
     • Accept
   For more information see the man pages for groupadd, groupmod and groupdel.

7. Allow use of device by group cdrom .
   • Manual method:
     • Use the command: chown owner:group <device> to assign the device to a user and group. For example: chown root.cdrom /dev/hdd . (Use hdd if cdrom is the slave device on the 2nd IDE controller.)
     • Allow group access to the device: chmod 660 /dev/hdd
   • GUI method:
     • Start the File Manager and right click the file representing the cdrom device. Select Properties . Then select the tab Permissions . Set the Owner to root and the Group to cdrom. Allow Read and Write privileges for the user and group by selecting the appropriate buttons.

8. Add user to group cdrom : At this point, adding users to the group cdrom will grant them access to the device.
   • Manual method: The user id s specified in /etc/group is a comma separated list.
     • Use the command usermod -G <comma separated group list> <user id> . Be sure to list all groups as this is an absolute list and not an addition. To list all groups to which a user is a member use the command groups <user id> .
   • Linuxconf GUI method: Step two allowed you to assign users to the group. If users still need to be assigned use the following method:
     • After starting Linuxconf, select options Config + User Accounts + Normal + User Accounts .
     • Next to supplementary groups add the group cdrom. Groups should be delimited by spaces.

OR for a completely different method that steps 1 to 4, use the one step approach:

• chmod 664 /dev/hdd : Allow read use to all users of the CD-ROM device (hdd is just the example, your device name can vary). This method is quick, unelegant and can be used for your own desktop system but definitely don t do this on a server.

Using CD-ROM:

Command method:

• mount -t iso9660 /dev/hdd /mnt/cdrom : This generates amount point for CD-ROM (or mount -t iso9660 /dev/cdrom /mnt/cdrom . The device name /dev/cdrom is a symbolic link to the actual device)

Desktop GUI method:

• RH 5.2: Start + Programs + Administration + Disk Management .
• RH 6.0/6.1: Select Gnome icon (located lower left corner) + System + Disk Management .
• The gui tool can also be started using the shell command /usr/bin/usermount.

After mounting the CD-ROM one can view its contents from the directory /mnt/cdrom.

• Use the command: cd /mnt/cdrom

• GNOME toollbar Start icon File manager and select the appropriate folders.

Group Verification

This will list all the groups to which user-id is a member.

Verification Commands:

• pwck: verify integrity of password files
• grpck: verify integrity of group files

Recommended Links

Softpanorama Recommended

Top articles

Sites

• Groups administration
• The /etc/group file
• Primary Group
• System Groups
• User Private Groups

Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotes :  Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce :  Bernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS :  Programming Languages History : PL/1 : Simula 67 : C : History of GCC development :  Scripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month :  How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March, 12, 2019