Linux Unleashed, Third Edition:Users and Logins

-->

Groups

Every user on a UNIX and Linux system belongs to a group. A group is a collection of individuals lumped together for some reason. The users in a group may all work in the same department, may need access to a particular programming utility, or may all have access to use a special device, such as a scanner or color laser printer. Groups can be set up for any reason, and users can belong to any number of groups. However, a user can only be a member of one group at a time, because groups are used for determining file permissions, and Linux only allows one group ID per user at any point in time.

Groups can have their permissions set so that members of that group have access to devices, files, file systems, or entire machines that other users who do not belong to that group may be restricted from. For example, this can be useful when you have an accounting department, all members of which need access to the company’s accounts. However, you wouldn’t want non-accounting people to go snooping through financial statements, so creating a special group that has access to the accounting system makes sense.

Many small Linux systems have only one group, the default group, because that is the simplest way to manage a system. Then, each user’s access to devices and files is controlled by the devices’ or files’ permissions, not the group. When you start to get several different users in logical groupings, though, groups start to make more sense. You can even use groups to control your friends’ or children’s access to areas on your home Linux system.

Group information is maintained in the file /etc/group, which is similar in layout to the /etc/passwd file. The default /etc/group file from a newly installed Linux system is shown in Listing 35.2.

Listing 35.2. The default /etc/group file.


root::0:root

bin::1:root,bin,daemon

daemon::2:root,bin,daemon

sys::3:root,bin,adm

adm::4:root,adm,daemon

tty::5:

1disk::6:root,adm

lp::7:lp

mem::8:

kmem::9:

wheel::10:root

floppy::11:root

mail::12:mail

news::13:news

uucp::14:uucp

man::15:man

users::100:games

nogroup::-1:

Each line in the file has four fields separated by colons. Two colons together mean that the field is empty and has no value specified. Each line in the file follows this format:


group name:group password:group ID:users

Each group has a line of its own in the file. The fields in the /etc/group file (from left to right) are listed as follows:

• group name—A unique name usually of eight characters or fewer (usually standard alphanumeric characters only).

• password—Usually left as an asterisk or blank, but a password can be assigned that a user must enter to join the group. Not all versions of Linux or UNIX use this field, and it is left in the file for backward-compatibility reasons.

• group ID (GID)—A unique number for each group, used by the operating system.

• users—A list of all user IDs that belong to that group.

Every Linux system has a number of default groups which belong to the operating system, usually called bin, mail, uucp, sys, and so on. You can see the system-dependent groups in the default /etc/group file as shown in Listing 35.2. In that file, all but the last two entries are system groups. You should never allow users to belong to one of these groups because it gives them access permissions that can be the same as root’s. Only system logins should have access to these operating-system groups.

Default System Groups

You may have noticed in the startup /etc/group file shown in Listing 35.2 that there are several groups defined. These groups are used to set file permissions and access rights for many utilities. It’s worth taking a quick look at some of the most important groups and their functions:

root/wheel/system	Usually used to enable a user to employ the `su` command to gain root access, it owns most system files.
daemon	Used to own spooling directories (mail, printer, and so on).
kmem	Used for programs that need to access kernel memory directly (including `ps`).
sys	Owns some system files; on some systems this group behaves the same as `kmem`.
tty	Owns all special files dealing with terminals.

The default group for the SlackWare Linux version /etc/group file, shown previously, is called users, and has a GID of 100. (Many UNIX systems have the default group called group with a group ID of 50 which is the convention.)

Adding a Group

You can edit the information in the /etc/group file manually, using any ASCII editor, or you can use a shell utility such as addgroup or groupadd which goes through the process for you. As a system administrator, you may find it easier to do the changes manually because you can see the entire group file at the time you are editing it. Not all versions of Linux have an addgroup or groupadd utility.

To manually add a group to the /etc/group file, first make a backup copy of the file. Use any ASCII editor and add one line to the file for each new group you want to create. Make sure you follow the syntax of the file carefully because incorrect entries prevent users from belonging to that group. In the following lines, two new groups have been created:


accounts::101:bill

scanner::102:yvonne

The two groups have GIDs of 101 and 102, and like user IDs, the GIDs should be assigned sequentially for convenience. The users that are in the group are appended. In these cases, only one user is in each group. You’ll see how to assign multiple users to a group in the next section. The groups do not have to be in order of the GID or group name, although for convenience you usually have the file ordered by GID. You could add new lines anywhere in the file.

The /etc/group file should be checked for file permissions and ownership after you have made changes to it. The file should be owned by root and have a group owner of root (or system, depending on the group with GID 0). The file permissions should prevent anyone but root from writing the file.

Table of Contents