LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-22-2014, 10:12 AM   #1
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 536

Rep: Reputation: Disabled
Why does Linux require a file/user to have a group?


When I create a new user, a primary group is created with the same name as the username. I can then add the user to other secondary groups if desired.

When I create a file, the username defaults to my username, and the group defaults to my group.

I am sure I am wrong, but if I developed Linux (and probably Unix), I would not have a primary group for the user, but only the secondary groups. For files, I would allow the file to have group NULL.

I am sure there were good reasons to do what was done, and am curious what they were.

Thank you
 
Old 08-22-2014, 10:22 AM   #2
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,578
Blog Entries: 14

Rep: Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969
Actually not all Linux distros create primary group with same name as user. Also you can prevent this from happening by adding the "-n" flag to the useradd ccommand. From the useradd man page:

Quote:
-n A group having the same name as the user being added to the system
will be created by default. This option will turn off this Red Hat
Linux specific behavior. When this option is used, users by default
will be placed in whatever group is specified in
/etc/default/useradd. If no default group is defined, group 1 will
be used.
 
Old 08-22-2014, 10:43 AM   #3
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 536

Original Poster
Rep: Reputation: Disabled
Thank you MensaWater,

But even is this case, the user will either be placed in whatever group is specified in /etc/default/useradd, and if no default group is defined, group 1 will be used. What is the purpose of the primary group, and why not just use secondary groups? In regards to files, why create some fictional "nogroup" but instead not have a group assigned to the file?

Maybe the answer is simply "it is that way just because", but more often there seems there is always a good reason things were done the way they were.

Other than ideal curiosity, I am developing a PHP app which will mimic some of the Linux user/group/permissions functionality.

Thanks again!
 
Old 08-22-2014, 11:18 AM   #4
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 2,959

Rep: Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268
It's pretty much "just the way it is, and has been from the beginning." It's why we end up with a UID and GID for user "nobody" for when we want a process to run without any special permissions.
 
Old 08-22-2014, 12:05 PM   #5
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 536

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by rknichols View Post
It's pretty much "just the way it is, and has been from the beginning." It's why we end up with a UID and GID for user "nobody" for when we want a process to run without any special permissions.
Thanks rknichols, Think it should have been that way?
 
Old 08-22-2014, 12:27 PM   #6
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 2,959

Rep: Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268
Writing kernel and user space code to handle special cases like "file with no UID" or "user with no GID" is a pain. It also brings up questions like, "What can a user do with a file that has no UID? All things?? Nothing??" There is already one special UID (0 = "root"). Having more special cases makes the problem grow exponentially. Consider also what you would have to write everywhere you explain the permissions system.
 
Old 08-22-2014, 01:08 PM   #7
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,578
Blog Entries: 14

Rep: Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969
That's just the way it is as they say. The reasons go back to UNIX which has been around since 1970. UNIX was designed to be "multiuser" so users have been there since inception. Whether groups were added later or there always I don't know but they were certainly there as long ago as the mid-80s when I first worked on AT&T Unix. It may have had to do originally with "accounting" as in early days it was very important to track who did what if for no other reason than so you could charge that department for using (originally) very expensive computer time.
 
Old 08-22-2014, 03:41 PM   #8
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,604

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
It does go back to 1970...

But the reason the file is given a group is that it MUST have a group value.

Because the group defines access controls putting in a generic group (such as null), means the group name "null" must be given a group identification number.

Unfortunately, putting in a null group means that anyone that has access to the null group may also access that file... even when they shouldn't. It is very much like having a login with a null password...

Various distributions have slightly different policies when it comes to groups. RH/Fedora/CentOS tend to create a group with the same name as the user. This allows the group access to be equivalent to the user, thus protecting the file from accidental exposure.

Other systems may use the first group in the users list... And that first group is always the one assigned in the /etc/passwd file (or LDAP/NIS/... wherever the authorization record comes from.

The user can always change the default group - that is what the "newgrp" command does.

You can use the "id" command to list the defaults and groups the user is authorized to use.
Then the newgrp will change the default group to any other group the user is authorized.

BTW, there is already a "nobody" group (two of them for that matter). "nobody" is given the UID/GID of 99, and the "nfsnobody" is given the UID/GID of 65534. These two accounts are used for specific purposes - "nobody" is used for processes spawned by the system that are specifically isolated. They are given one of these two uid/gid values because they are not supposed to be used by any account. The nfsnobody is used by NFS network services for any account that doesn't exist within the client or server. No files SHOULD get those ids (at least not writable anyway) as they are used to indicate user mapping failures.

Last edited by jpollard; 08-22-2014 at 03:49 PM.
 
1 members found this post helpful.
Old 08-22-2014, 05:02 PM   #9
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 536

Original Poster
Rep: Reputation: Disabled
Thank you MensaWater and Senior Member,

I think I understand the reasons why the group "shouldn't" be null. I didn't say "couldn't" as it seems the group identification number could also be null and the kernel could deal with it, but that likely causes also problems. Bottom line, I agree with you.

I started off typing this response planing on also asking why would one need a primary group as well as secondary groups. Is there any difference between user John who's primary group is Group1 and who's only secondary group is Group2 than user John who's primary group is Group2 and who's only secondary group is Group1? (note that this is not entirety a rhetorical and I would appreciate an answer). But if the primary group field did not exist, there would be no group to assign the newly created file which goes against what I previously agreed with you should be done in the preceding paragraph.

So, it is not "that way just because", but there was a good reason to do so.
 
Old 08-22-2014, 06:29 PM   #10
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 2,959

Rep: Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268
The difference is that, by default, files get created with the GID of the creating process's primary group. The owning UID can change the file's GID to any group of which that user is a member, and the "setgid" bit on the directory would cause the directory's GID to be the GID for files created there, but the default would be the user's primary GID. A user can also use the newgrp command to change the current primary group to any group of which he is a member or, in the uncommon case of group passwords being set, to any group for which he knows the password.

Last edited by rknichols; 08-22-2014 at 06:36 PM.
 
1 members found this post helpful.
Old 08-22-2014, 11:38 PM   #11
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 536

Original Poster
Rep: Reputation: Disabled
Thank you rknichols,

I suspected most of this, but you taught me more.

Michael
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Problem while removing file by group user soumyacs Linux - Newbie 3 08-28-2012 06:24 PM
[SOLVED] User can't access file that is accessible by a group she's in Eredeath Linux - General 2 08-05-2010 10:27 PM
Apache Auth: Using Require User and Require Group newmanium2001 Linux - Software 1 08-25-2009 03:39 PM
apache active directory require group.. zerocool22 Linux - Server 0 05-06-2008 04:38 AM
Apache2 Require user with Require group Russianspi Linux - Server 2 01-30-2008 12:21 PM


All times are GMT -5. The time now is 09:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration