LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-10-2012, 04:43 PM   #1
Surka
LQ Newbie
 
Registered: Apr 2012
Location: Argentina
Distribution: Slackware
Posts: 14

Rep: Reputation: Disabled
Question User groups - manage groups


Currently using SLACKWARE.

I read on the Slackware book, that you can manage groups and users with some commands like: groupadd, or adduser for example.

What I didnt find is how to manage those groups, how to see all created groups, give different permissions... for example: I want "guest" group to have restricted access, and dont let them add/edit/del any user/group. But I want "admin" group to do whatever they want.

Which files have that information? (ie: see all created groups, give permissions)

Thanks.
 
Old 04-10-2012, 05:52 PM   #2
hydraMax
Member
 
Registered: Jul 2010
Location: Skynet
Distribution: Debian + Emacs
Posts: 467
Blog Entries: 60

Rep: Reputation: 51
I think you are a little confused about how this works. The only user that can change permissions is the "root" user (a.k.a, super user). "guest" and everybody else does not have the ability to change permissions. However, it is possible to give other users the ability to run commands as the root user, through a tool called "sudo":

sudo home page

In Gnu/Linux, you don't really give permissions directly to users, but rather you attach permissions to files (and directories) and those permissions determine what users have access to the files, and what kind of access they have. This is done by changing the "ownership" of a file (through the chown command) and changing the "mode bits" of a file (through the chmod command).

You can, however, assign files to a certain group, and make certain users part of that group, which practically speaking changes the "permissions" of that group. You can see what groups a user belongs to with the "groups" command. You can see also read the files /etc/group and /etc/passwd to get summaries.

The Gnu/Linux permissions system has always worked this way (inherited from unix) and as far as I know no one has every tried to change it. Also, Gnu/Linux does not have "inherited" permissions like Windows does. However, it is possible to extend the permissions system somewhat by using POSIX access control lists (ACLs). The ACL system works fundamental the same as the regular system, but it allows you to specify more groups and user permissions per file.
 
Old 04-11-2012, 11:49 AM   #3
Surka
LQ Newbie
 
Registered: Apr 2012
Location: Argentina
Distribution: Slackware
Posts: 14

Original Poster
Rep: Reputation: Disabled
Thanks for your answer. Now I have another doubt:
After login in, I send "groups" command and appears: users floppy audio video cdrom scanner.
They are different files right? Because I have read that hardware is treated as a file.

Also about that, I have a new doubt. I dont know how many devices a desktop may have attached, is there any good documentation about groups and users? (not wikipedia please) I want to learn about giving permissions to files.

Last edited by Surka; 04-11-2012 at 12:04 PM.
 
Old 04-11-2012, 05:12 PM   #4
hydraMax
Member
 
Registered: Jul 2010
Location: Skynet
Distribution: Debian + Emacs
Posts: 467
Blog Entries: 60

Rep: Reputation: 51
Quote:
Originally Posted by Surka View Post
Thanks for your answer. Now I have another doubt:
After login in, I send "groups" command and appears: users floppy audio video cdrom scanner.
They are different files right? Because I have read that hardware is treated as a file.

Also about that, I have a new doubt. I dont know how many devices a desktop may have attached, is there any good documentation about groups and users? (not wikipedia please) I want to learn about giving permissions to files.
Under Gnu/Linux, it is true that hardware is treated as a file. These special files are called "block" or "character" files and are usually available from within the /dev directory.

However, this is not the same thing as a group. A group is basically just a category that you put users into. Individual files, including the device files, get "owned" by a certain group, and then only users who are part of that group have access to those files. You can change which group owns a file using the "chown" command. (See the chown manual page.)

Typically, however, your Gnu/Linux distribution will already have set up a sensible arrangement of which device files are owned by which group. For example, in Gentoo Linux, the /dev/audio file is already owned by the "audio" group. So, all you really need to do as the system maintainer is decide which users deserve to be part of the "audio" group. Again, you can see which groups are available by reading the /etc/group file.

The sensible rule is that you should only make a user part of a certain group if you know he or she needs access to functionality provided through that group. For example, user "bob" might need to be part of the "audio" and "video" groups so he can watch videos, but perhaps he doesn't need to be part of the "games" group.

You can see what user and group any file belongs to by using the command "ls -l <path-to-file>".

Last edited by hydraMax; 04-11-2012 at 05:15 PM.
 
Old 04-30-2012, 12:31 AM   #5
Surka
LQ Newbie
 
Registered: Apr 2012
Location: Argentina
Distribution: Slackware
Posts: 14

Original Poster
Rep: Reputation: Disabled
Exclamation

HydraMax,
thanks. I have been playing around, reading information about playing AUDIO CDs. I realized that in fstab I can add the option: user, to let everyone mount the cdrom.
What about if I just want user "bob" and root to mount the cdrom?
Also let bob to execute programs from that cd.

Thanks!

Last edited by Surka; 04-30-2012 at 12:45 AM.
 
Old 05-01-2012, 12:27 AM   #6
hydraMax
Member
 
Registered: Jul 2010
Location: Skynet
Distribution: Debian + Emacs
Posts: 467
Blog Entries: 60

Rep: Reputation: 51
from the MOUNT(8) manual page:

Code:
       The non-superuser mounts.
              Normally,  only  the superuser can mount filesystems.  However, when fstab contains the
              user option on a line, anybody can mount the corresponding system.

              Thus, given a line

                     /dev/cdrom  /cd  iso9660  ro,user,noauto,unhide

              any user can mount the iso9660 filesystem found on his CDROM using the command

                     mount /dev/cdrom

              or

                     mount /cd

              For more details, see fstab(5).  Only the user that mounted a filesystem can unmount it
              again.   If  any  user should be able to unmount, then use users instead of user in the
              fstab line.  The owner option is similar to the user option, with the restriction  that
              the  user must be the owner of the special file. This may be useful e.g. for /dev/fd if
              a login script makes the console user owner of this device.  The group option is  simi‐
              lar,  with  the  restriction  that  the user must be member of the group of the special
              file.
So, you set this up in fstab, using the group option.
 
Old 05-01-2012, 01:54 AM   #7
Surka
LQ Newbie
 
Registered: Apr 2012
Location: Argentina
Distribution: Slackware
Posts: 14

Original Poster
Rep: Reputation: Disabled
Lightbulb

So instead of 'user' (my fstab has 'user' and 'owner' right now) I should put 'bob', right?
 
Old 05-02-2012, 12:56 AM   #8
hydraMax
Member
 
Registered: Jul 2010
Location: Skynet
Distribution: Debian + Emacs
Posts: 467
Blog Entries: 60

Rep: Reputation: 51
Quote:
Originally Posted by Surka View Post
So instead of 'user' (my fstab has 'user' and 'owner' right now) I should put 'bob', right?
No. You should replace 'user' and 'owner' with 'group'. Then find out what group your cdrom device belongs to (usually it is the cdrom group). On my system:

Code:
$ ls -lh /dev/cdrom
lrwxrwxrwx 1 root root 3 Apr  2 17:03 /dev/cdrom -> sr0
$ ls -lh /dev/sr0
brw-rw----+ 1 root cdrom 11, 0 May  1 18:16 /dev/sr0
Then add bob to that group with the command "usermod -a -G cdrom bob".

As I just quote from the manual page, the 'group' option in fstab allows the device to be mounted by anyone who belongs to the same group to which the device belongs.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
manage proftpd users and groups qouta in ldap starter_07 Linux - Server 1 04-22-2010 05:39 PM
how to manage unix/linux groups laucian Linux - Newbie 8 12-12-2007 01:54 AM
Best way to manage groups tensigh Linux - Security 5 10-09-2007 05:16 PM
What we have to do to manage users/groups Khmer Linux - Security 2 08-13-2005 09:35 AM


All times are GMT -5. The time now is 09:24 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration