LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 07-21-2007, 12:11 PM   #1
JosephS
Member
 
Registered: Jun 2007
Distribution: Debian Squeeze, CrunchBang Waldorf
Posts: 514

Rep: Reputation: 38
Question about groups


I've been studying about groups but am still a little confused.

When I run the command
Code:
groups
I get: users floppy audio video cdrom plugdev
When I run
Code:
groups joe
I get: users

What are the differences in these commands?

I don't have my name in the groups for audio, but can play music,etc
I don't have my name in cdrom,but can mount the cdrom.

Is there some info on what the groups in Slackware are for?

My default group for files and directories is users. Wouldn't this give access to other users installed on the computer access to my files?
Thanks.

Last edited by JosephS; 07-21-2007 at 01:13 PM.
 
Old 07-21-2007, 12:59 PM   #2
cmk77
Member
 
Registered: May 2006
Location: netherlands
Distribution: slackware, centos, scientificlinux
Posts: 119

Rep: Reputation: 24
see the sticky about hal

Quote:
- do not rely on the output of groups(1) to determine whether a user is in the appropriate group as it pertains to dbus and HAL.
 
Old 07-22-2007, 10:52 PM   #3
ciotog
Member
 
Registered: Mar 2004
Location: Canada
Distribution: Slackware current
Posts: 727
Blog Entries: 2

Rep: Reputation: 43
Access to files, directories and device nodes isn't entirely dependent on groups, there are three levels of access. User, group and all. So if a file has permissions set as 666 (ie rw-rw-rw-) then everyone has access to the file, regardless of their user name or group access.

Typically home directories are set 711 (drwx--x--x) so everyone can cd into your /home/user directory but can't do anything inside, not even see a directory listing. They may be able to descend into a subdirectory (if they knew somehow that it existed) and view the contents there, depending on the permissions of that directory, and so on. In other words, there's more to life than just "user" and "group".
 
Old 07-23-2007, 12:53 AM   #4
rworkman
Slackware Contributor
 
Registered: Oct 2004
Location: Tuscaloosa, Alabama (USA)
Distribution: Slackware
Posts: 1,913

Rep: Reputation: Disabled
Quote:
Originally Posted by JosephS
I've been studying about groups but am still a little confused.

When I run the command
Code:
groups
I get: users floppy audio video cdrom plugdev
When I run
Code:
groups joe
I get: users

What are the differences in these commands?

Have a look at groups(1), especially the NOTE in there about concurrent group sets.
What you're seeing from running 'groups' with no arguments is the user's *real* group assignments (as defined in /etc/group) plus the supplementary groups added by shadow from /etc/login.defs (see the CONSOLE_GROUPS parameter in that file). Running 'groups joe' returns only the user's real groups defined in /etc/group.
 
Old 07-27-2007, 08:15 AM   #5
JosephS
Member
 
Registered: Jun 2007
Distribution: Debian Squeeze, CrunchBang Waldorf
Posts: 514

Original Poster
Rep: Reputation: 38
Quote:
Originally Posted by cmk77
see the sticky about hal
I read the sticky about Hal. From what I read I still need to add my name to
these groups because of dbus, but I think I'm using groups now (I have
sound,using cdrom...) without my name in /etc/group for them. Am I
understanding this correctly?


How do I turn on Hal. I don't think I chose that option when I
installed Slackware 12?
 
Old 07-27-2007, 09:00 AM   #6
stress_junkie
Senior Member
 
Registered: Dec 2005
Location: Massachusetts, USA
Distribution: Ubuntu 10.04 and CentOS 5.5
Posts: 3,873

Rep: Reputation: 331Reputation: 331Reputation: 331Reputation: 331
Forget about HAL and DBUS.

System objects such as files, directories, and devices, are owned by a user account and a user group. User groups are used by the operating system to identify which system objects, such as files and devices, a given user account is or is not allowed to access. You can set access permissions on any given system object to specify what kind of access is allowed for the user account that owns the object and for the user group that owns the object, and for all other user accounts that don't belong to either the user account or user group that owns the object. Therefore, user groups are part of the authentication part of Linux. When used correctly the user groups can help refine which users and groups of users are allowed access to particular system objects.

Example one. Look at the properties of the system device /dev/cdrom.
Code:
ls -l /dev/cdrom
lrwxrwxrwx 1 root root 3 Jul 23 18:58 /dev/cdrom -> hdc
You can see that on my system this is a link to /dev/hdc so look at the properties of the device to which the link points.
Code:
ls -l /dev/hdc
brw-rw---- 1 root cdwriter 22, 0 Jul 23 18:58 /dev/hdc
Here we can see that the device is owned by the user root and by the user group named cdwriter. Notice that the permissions for the group are read and write. This means that any user account that belongs to the cdwriter user group is allowed to read and write to this device. Any account that is not root and is not a member of the cdwriter user group is denied access to this device. This allows you to control who can access this device.

Example two. Look at the permissions on a file in a normal user HOME directory.
Code:
ls -l
-rw------- 1 mary users   15714 Aug 29  2006 test-file.txt
Here we see a file name test-file.txt with its permission properties listed. The permission for the account that owns the file are read and write. The permission for the user group that owns the file and for all other accounts is no permission. This means that the user account that owns the file can read and write the file. The user group that owns the file is called users. The members of the user group named users has no permission to access the file. The users that aren't user account mary and aren't part of the user group named users also have no permission to access the file.

So we can see that although the file is owned by the user group called users the members of this group still have no permission to do anything with the file.

You can create your own user groups, make whatever user accounts that you want to be members of this group, make any system objects owned by this group, and then set the access permissions for this user group to access the system object. Most of the time the system object will be a file or directory or groups of files and directories.

Example three. Make a work area for people in the Accounting Department.
First make a user group for the members of the Accounting Department. Log on as root to perform all of the commands in this example.
Code:
groupadd accntg
Now add the accntg group to the already existing user accounts for the members of the Accounting Department. Let's say that we already know that these user accounts are mary and jim and that these user accounts are only members of the user group named users. It just makes this example simpler and clearer. We will add the accntg group to the user accounts mary and jim as secondary groups. This will mean that the default group for these accounts is still users but they will also be able to do anything that members of the accntg group can do.
Code:
usermod -G accntg mary
usermod -G accntg jim
Now let's create a directory for them to use to share their work.
Code:
mkdir /home/accntg
Now let's make this new directory owned by the user group named accntg.
Code:
chown root:accntg /home/accntg
You could have used the chgrp command but I like to use chown because you enter both the user account that owns the object and the user group that owns the object. It just reduces the possibility of errors with the ownership.

Now let's set the permission on the /home/accntg directory to be sure that members of the accntg group can read, write, and execute the /home/accntg directory. This is necessary for the users to be able to write and delete files, and to list the files in the directory. Let's also add the sgid bit on the directory. That will mean that all of the files created in the /home/accntg directory will be owned by the accntg user group.
Code:
chmod 2770 /home/accntg
Now list the properties of the accntg directory.
Code:
ls -ld /home/accntg
drwxrws--- 2 root accntg 1024 Jul 27 09:55 /home/accntg
You see the letter "s" in the permission string? That means that the set gid bit is set in the directory permissions. This will cause all of the files that are created in this directory to be owned by the same group that owns the directory. In this case it is the accntg group. Enter the following commands to prove that this is true.
Code:
touch /home/accntg/delete-me.txt

ls -l /home/accntg
total 0
-rw-r----- 1 root accntg 0 Jul 27 09:58 delete-me.txt
Here you can see that the file named /home/accntg/delete-me.txt is owned by the accntg group.

I hope this helps explain how the user groups can be used.

Last edited by stress_junkie; 07-27-2007 at 09:25 AM.
 
Old 07-28-2007, 07:29 PM   #7
Cichlid
Member
 
Registered: Jan 2002
Location: Montreal
Distribution: Ubuntu 8.10
Posts: 178

Rep: Reputation: 30
Stress_junkie you are AWSOME. I have been having issues with permissions for a "common" directory form me and another user to use. I kept having to change the permissions manually so that we can both have read/write access. I read the man for chmod and don't understand where you got the "sgid bit" from. I never had an idea. Where do you guys learn this stuff.

Moderator, please recognize Stress_junkie.

erik
 
Old 07-28-2007, 11:30 PM   #8
mRgOBLIN
Slackware Contributor
 
Registered: Jun 2002
Location: New Zealand
Distribution: Slackware
Posts: 999

Rep: Reputation: 227Reputation: 227Reputation: 227
Nice explantion stress_junkie,
I know you skipped over this for simplicity but it may be worth mentioning that the
Code:
usermod -G group user
will remove the user from any existing groups (excluding their default) not listed in that command.

Probably a good Idea to check what groups the user should be in and use something like.

Code:
usermod -G group1,group2,newgroup user
 
Old 07-29-2007, 09:57 AM   #9
ciotog
Member
 
Registered: Mar 2004
Location: Canada
Distribution: Slackware current
Posts: 727
Blog Entries: 2

Rep: Reputation: 43
You could use the gpasswd command instead, then you don't need to know which groups a user is in already. For example the following will add mary and jim to the accntg group without altering any other groups:
Code:
#gpasswd -M mary,jim accntg
This will remove anyone else from the group, though. You can add members individually without any side effects with
Code:
#gpasswd -a accntg mary
, and if you have a lot to add use a loop like so:
Code:
#for i in mary jim; do gpasswd -a $i accntg; done

Last edited by ciotog; 07-29-2007 at 10:02 AM.
 
Old 07-30-2007, 07:49 AM   #10
JosephS
Member
 
Registered: Jun 2007
Distribution: Debian Squeeze, CrunchBang Waldorf
Posts: 514

Original Poster
Rep: Reputation: 38
Thanks for everyone's help. I have a better understanding about this now.
 
Old 08-06-2007, 09:48 PM   #11
Cichlid
Member
 
Registered: Jan 2002
Location: Montreal
Distribution: Ubuntu 8.10
Posts: 178

Rep: Reputation: 30
I have misread the explanation. Only discovered it when I was fooling with my directories.
My goal is to find a way where group members can all have read/write/execute permissions in a particular directory. stress_junkie pointed me in the right direction. However, I failed to notice that when a user creates a file, only that user has read/write permission. I'm looking to share all permissions for specified users.

Is there a way to do that automatically when files/directories are created?

Thank you All.
 
Old 08-06-2007, 11:07 PM   #12
ciotog
Member
 
Registered: Mar 2004
Location: Canada
Distribution: Slackware current
Posts: 727
Blog Entries: 2

Rep: Reputation: 43
You can change the "umask" line in /etc/profile so that all new files/directories have the inverse permissions (in other words the bits following umask are cleared), so for instance "umask 0022" means that the write bit for all and group are cleared, so a newly created file would have the permissions set as -rw-r--r-- (files are not typically created executable), and newly created directories would be drwxdr-xdr-x. "umask 0002" would be -rw-rw-r-- and drwxrwxr-x and so on.

Instead of "umask 0002" you could write "umask a=rx,ug+w" which means all users have read and execute permissions (execute where applicable), and user and group level would have write permission.

I'm not sure if it's possible to set it up so that if you're in one directory one umask is used, and if you're somewhere else another umask is used. Generally 0002 is a reasonable compromise between security and accessibility, but you may want to have each user use their own username as their default group so that people can't snoop in other's home directories.

Last edited by ciotog; 08-06-2007 at 11:09 PM. Reason: mixed up examples
 
  


Reply

Tags
groups


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Basic Question Unix (Groups) tostay2003 Linux - Software 2 08-16-2006 12:02 PM
Basic question about groups celejar Linux - General 2 07-07-2005 09:25 AM
Simple groups question scottrell Linux - General 1 12-02-2004 03:35 PM
listing groups question?? samills70 Red Hat 1 06-11-2004 12:59 PM
Quick users/groups question Nico Linux - General 2 12-09-2003 01:18 AM


All times are GMT -5. The time now is 05:50 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration