Objectives
- Explain the important of groups in linux
- Create, remove and manage groups and their membership with
- groupadd
- groupdel
- groupmod
- usermod
- Describe User Private Groups
- Explain the concept of group membership
Group
Is a collection of users.
Users belong to one or more groups under Linux, Purposes of groups include
- Allow users to share a work area
- Setting up file permissions to allow access to group members, but not the entire world
- Permitting certain specified users to acess resources they would not be allowed to otherwise
Groups are defined in
/etc/group
Which has the same role for groups as
/etc/passwd
Has for users. Each line of the file looks like
groupname:password:GID:user1,user2,...
where
- groupname
- Is the name of the group
- password
- Is the password place-holder. Group passwords may be set, but only if the next file exists
- /etc/gshadow
- Is the password place-holder. Group passwords may be set, but only if the next file exists
- GID
- Is the group identifier
- Values from 0 to 99 are for system groups
- Values from 100 and GID_MIN (as defined in (/etc/login.defs and usually the same as UID_MIN) are considered special.
- Values over GID_MIN are for UPG (User Private Groups)
- Is the group identifier
- user1, user2
- Are the comma separated members of the group. The user need not be listed here if this group is the user's principal group
Group Management
Group accounts may be managed and maintained with
- groupadd
- Add a new group
- groupdel
- Remove a group
- groupmod
- Modify a group's properties
- usermod
- Modify a user's group membership (add or remove)
One can also edit /etc/group directly, but it is better to use the
vigr
Utility which is generally symbolically linked to the
vipw
These group manipulation utilites modify
/etc/group
and if it exists
/etc/gshadow
And it may only be executed (vigr) by root
Examples
$ sudo groupadd -r -g 215 staff $ sudo groupmod -g 101 blah $ sudo groupdel newgroup $ sudo usermod -G student,group1,group2 student
Be careful with the -G option since the list of groups that follows it, are all the groups associated to the users, if there is not a group on that list that is supposed to be, the user will be taken out of such.
To avoid mistakes it is better to user the -a parameter since it will preserve pre-existing group memberships when adding new ones.
User Private Groups (UPG)
The idea behind this is that every user has its own group. However UPGs are not guaranteed to be private, additional members may be added to someone's private group in
/etc/group
By default users created with groupadd have: primary GID = UID and the group name is also identical to the user name.
As specified in /etc/profile, the umask is set to 002 for all users created with UPG.
Under this scheme user files are thus created with permissions 664 (rw-rw-r--) and directories with 775 (rwxrwxr-x)
Group membership
A Linux user has one primary group. This is listed in /etc/passwd and will also be listed in /etc/group. A user may belong to between 0 and 15 secondary groups.
The primary groups is the GID that is used whenever the user creates files or directories. Membership in other secondary groups grants the user addition permissions.
Group membership can be identified by running
$ groups [user1 user2 ...] $ id -Gn [user1 user2 ...]
With no arguments either command reports on the current user