LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 10-17-2012, 02:28 AM   #1
mitusf
Member
 
Registered: Nov 2011
Location: Bucharest, Romania
Distribution: Slackware
Posts: 141

Rep: Reputation: 2
/etc/group interpretation


What does it mean to have a '*' as the second field (with ':' delimiter) for a group record in /etc/group? There is also a user name with the same name as that group, being a member of it, also of group users. Exemple:

[...]
console:x:101:
razvan:*:1000:
dovecot:x:202:
dovenull:x:203:
[...]

Thanks anticipated!
 
Old 10-17-2012, 02:43 AM   #2
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371
Too my knowledge the x and * represent the same thing (although * is seen less often).

Last edited by druuna; 10-17-2012 at 02:46 AM. Reason: Fixed typo
 
1 members found this post helpful.
Old 10-17-2012, 02:55 AM   #3
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371
Did some further digging and came up with this from the gshadow man page:
Quote:
If the password field contains some string that is not a valid
result of crypt(3), for instance ! or *, users will not be able to
use a unix password to access the group (but group members do not
need the password).
The x can also be included in the above quote.
 
1 members found this post helpful.
Old 10-17-2012, 03:32 AM   #4
mitusf
Member
 
Registered: Nov 2011
Location: Bucharest, Romania
Distribution: Slackware
Posts: 141

Original Poster
Rep: Reputation: 2
Ok, thanks, but what does really mean by "to access the group"? Maybe some example...
 
Old 10-17-2012, 04:07 AM   #5
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371
This deals with adding a password to a group. I haven't come across this in real life in all the years I've been using Unix/Linux.

Have a look at these:
- A group password in Linux
- Managing Group Access
 
Old 10-17-2012, 04:25 AM   #6
mitusf
Member
 
Registered: Nov 2011
Location: Bucharest, Romania
Distribution: Slackware
Posts: 141

Original Poster
Rep: Reputation: 2
Thanks, i was just quite curious and intrigued about that mysterious star.
 
Old 10-17-2012, 07:13 AM   #7
GazL
Senior Member
 
Registered: May 2008
Posts: 3,330

Rep: Reputation: 884Reputation: 884Reputation: 884Reputation: 884Reputation: 884Reputation: 884Reputation: 884
I have one group to which I've assigned a password. It's handy for when you want your user to be able to write to certain directories only when you explicitly allow it by logging into a group that you're not normally a member of.


As for the field in question.
In /etc/passwd, or /etc/group 'x' normally signifies that shadow files are being used and the real entry is in /etc/shadow, /etc/gshadow.

Within the shadow files

x signifies that you can't login with a password
* as above but also signifies that the user or group is a 'system' group (i.e. one that is necessary for correct system operation and shouldn't be removed)
! signifies that an account/group has been locked (it is usually followed by the password hash.

In practice there is little difference between 'x' and '*', it's just documentary.

BTW, for some reason slackware's /etc/gshadow file is missing the standard groups You can fix this by running the grpck command as root (though this will tag all the groups as 'x' rather than '*')
 
2 members found this post helpful.
Old 10-17-2012, 07:58 AM   #8
mitusf
Member
 
Registered: Nov 2011
Location: Bucharest, Romania
Distribution: Slackware
Posts: 141

Original Poster
Rep: Reputation: 2
Very interesting and complete explanations, thanks very much. Still the question that comes into my mind is: why is that group marked as system group, maybe because it was the first user group created, when creating first normal user, which has the same name as that group name, with User Manager (kuser)?
 
Old 10-17-2012, 09:18 AM   #9
GazL
Senior Member
 
Registered: May 2008
Posts: 3,330

Rep: Reputation: 884Reputation: 884Reputation: 884Reputation: 884Reputation: 884Reputation: 884Reputation: 884
IMO All GUI admin tools should be stamped with "Here be DRAGONS!"

Best to avoid them and use the native tools: in this case useradd (or adduser for an easy life), groupadd, etc.
 
2 members found this post helpful.
Old 10-17-2012, 09:33 AM   #10
mitusf
Member
 
Registered: Nov 2011
Location: Bucharest, Romania
Distribution: Slackware
Posts: 141

Original Poster
Rep: Reputation: 2
i know, that was inherited from a more beginner level of SW user/admin.
 
Old 10-17-2012, 10:54 PM   #11
TracyTiger
Member
 
Registered: Apr 2011
Location: California, USA
Distribution: Slackware
Posts: 258

Rep: Reputation: 59
Quote:
Originally Posted by druuna View Post
This deals with adding a password to a group. I haven't come across this in real life in all the years I've been using Unix/Linux.
I looked at the group man page to see how Linux may vary from UNIX regarding this file. I don't want to promote sloppy system administration practices but I found the comment in the group man page interesting.

Quote:
BUGS
As the 4.2BSD initgroups(3) man page says: No-one seems to keep /etc/group up-to-date.
Like GaZL I've found occasions (in a previous life) to set a group password. It appears to be a dying and forgotten practice.
 
Old 10-18-2012, 12:50 AM   #12
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371
Quote:
Originally Posted by Tracy Tiger View Post
I looked at the group man page to see how Linux may vary from UNIX regarding this file. I don't want to promote sloppy system administration practices but I found the comment in the group man page interesting.
Which comment? If you are talking about the password field being empty: Remember that the shadow suite is being used as well.

Quote:
Like GaZL I've found occasions (in a previous life) to set a group password. It appears to be a dying and forgotten practice.
As mentioned in one of the links I posted previously:
Quote:
Some of the disadvantages are:
Sharing a password is not good; a password should be personal.
You can also solve this by adding the user to a secondary group.
Another way to solve it is to use sudo.
Usage of the group password is not accountable.
I'm guessing that this feature was introduced in a time that people were more trustworthy Better and more secure solutions are present/needed in this day and age.....
 
Old 10-18-2012, 05:07 AM   #13
TracyTiger
Member
 
Registered: Apr 2011
Location: California, USA
Distribution: Slackware
Posts: 258

Rep: Reputation: 59
Quote:
Originally Posted by druuna View Post
Which comment?
Hi druuna.

In my post I included the quoted "comment" I was referring to.

Perhaps "comment" was the wrong choice of words in my post. But when someone uses a phrase such as "No-one seems ..." I think of that more as a comment than a technical specification. Now, to be more precise, In my post I was referring to the "text" found in section 5 of the man pages for GROUP (the general topic of this thread). I quoted the text found in the BUGS section of that man page. Please type "man group" in a terminal on Slack64-14.0 with the proper path set up to see common man pages and you'll see it there. I don't know how else to explain what I thought was simply an interesting observation that I hadn't noticed before.

I was trying to reinforce your statement (that I quoted in my previous post) about your not needing the group password feature by my noting the lack of attention to even the maintenance the group file as mentioned in the man page reference. Based on your question I must not have done a very good job of communicating my thoughts in my previous post.

My simple previous post is not worth all the text I just now typed trying to explain it.

Quote:
Originally Posted by druuna View Post
Sharing a password is not good; a password should be personal.
One can argue the point of what constitutes good security and whether "groups" are the proper way to implement a particular security requirement, but the author of the link you quoted may be missing the full picture of how groups are/were used in *NIX systems. A "group" has a shared responsibility/authority among its members.

Quote:
Originally Posted by druuna View Post
As mentioned in one of the links I posted previously: I'm guessing that this feature was introduced in a time that people were more trustworthy Better and more secure solutions are present/needed in this day and age.....
I look at group membership and group passwords as just another option for controlling access, along with custom programs, multiple login accounts, and in more modern times, ACLs and sudo. You still have to know the password to change to password protected groups (unless Linux works differently) so it's not a completely trusting option. A group password can protect the system from an authorized user making mistakes or running an unknowingly destructive program, by not giving that authorized user the proper permissions unless needed for the operation. Similar to how sudo is used by many today. I got the impression that this principle of least privilege is the purpose to which GazL applies group passwords.

Group passwords are just a (now apparently forgotten) option, not a panacea.
 
1 members found this post helpful.
Old 10-18-2012, 05:53 AM   #14
GazL
Senior Member
 
Registered: May 2008
Posts: 3,330

Rep: Reputation: 884Reputation: 884Reputation: 884Reputation: 884Reputation: 884Reputation: 884Reputation: 884
My use of group passwords is in order to follow the principle of least-privilege. I am the only one who will know the group's password, there will be no sharing and as such the auditing and accountability issues are not relevant. Use of a permanent secondary group would not achieve what I'm after (a temporary raise in privilege).

I'll have to look into 'sudo -g' and see if that would be an alternative approach but as auditing isn't a consideration for me there is little to be gained by complicating things.


Group passwords should not be avoided simply because dogma says they're bad. If they fit the situation and their weaknesses aren't relevant then I see no problem with using them.

edit:
@Tracy, Sorry I hadn't read your post before replying, looks like you understand me well.

Last edited by GazL; 10-18-2012 at 06:00 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] ls output interpretation JJJCR Linux - Newbie 4 10-10-2011 02:17 AM
tcpdump interpretation mcburton3 Linux - Server 4 04-24-2011 09:45 PM
netstat interpretation twlilinux Linux - Server 6 06-17-2008 04:59 PM
c: output interpretation kpachopoulos Programming 3 08-17-2006 09:34 AM
tcpdump interpretation unixbrain Linux - Networking 7 04-28-2004 04:37 AM


All times are GMT -5. The time now is 10:37 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration