SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
So I just recently installed fresh 13.37 over my 13.1 install. Went multilib, and added myself to the usergroups I thought I might need. But truth is, I don't know what half of these are and I just picked the ones that sounded right.
I'm the only user on this computer, although I might possibly maybe add another someone if I have to for some reason.
For my user account, I added myself to:
Code:
bin
disk
mem
kmem
wheel
floppy
mail
news
uucp
man
dialout
audio
video
cdrom
games
mysql
sshd
gdm
shadow
ftp
messagebus
haldaemon
plugdev
power
netdev
scanner
users
console
kismet
vboxusers
Basically, I want my own account to be able to do everything I normally do without too much restriction (use the disc drive, mount harddrives, browse the web, read/send email via Thunderbird, download stuff, etc), but leaving the important stuff to root so that if someone else happens to use the computer under my account, they can't do any damage. Did I select the right groups for this? Should I add or remove any?
And what groups should a user have if I just want them able to browse the web, download files, use their /home, run non-root apps, and nothing else?
Basically, I want my own account to be able to do everything I normally do without too much restriction (use the disc drive, mount harddrives, browse the web, read/send email via Thunderbird, download stuff, etc), but leaving the important stuff to root so that if someone else happens to use the computer under my account, they can't do any damage. Did I select the right groups for this? Should I add or remove any?
You have too many (IMO).
The groups...
Code:
users audio video cdrom plugdev power
...will allow you to do just about anything.
If you want to give yourself sudo access to all commands, you can add the wheel group to the above list. However, you'll have to edit the /etc/sudoers file and uncomment some lines to turn that on. The comments in the file tell you which lines you would choose.
Quote:
And what groups should a user have if I just want them able to browse the web, download files, use their /home, run non-root apps, and nothing else?
This is a questions that has been bothering me for a while too. A few groups a specified in the documentation that comes with Slackware, but the rest just seem like it would be a good idea to belong.
There has to be a way to trace where each group comes from and what the functional and security implications are for belonging to a group.
The groups Richard Cranium listed pretty much cover the bases. Frankly, many of the groups listed in the OP, it's dangerous and/or insecure to add a regular user to.
The vast majority of those groups exist for the sole purpose of having a non-privileged accounts for various daemons to drop to after starting. There is absolutely no reason for a normal user (even one that can do pretty much anything) to belong to those.
Basically, I want my own account to be able to do everything I normally do without too much restriction (use the disc drive, mount harddrives, browse the web, read/send email via Thunderbird, download stuff, etc), but leaving the important stuff to root so that if someone else happens to use the computer under my account, they can't do any damage. Did I select the right groups for this? Should I add or remove any?
Way too many groups. None of my user accounts are members of the following groups:
bin mem kmem mail news uucp man dialout games mysql sshd gdm shadow ftp messagebus haldaemon netdev console kismet
Quote:
And what groups should a user have if I just want them able to browse the web, download files, use their /home, run non-root apps, and nothing else?
Some examples:
My primary user account is a member of the following groups:
$USER disk wheel floppy audio video cdrom plugdev power scanner users vboxusers compilers media
The last two groups are related only to my LAN and are not stock Slackware groups. The compilers groups is for maintaining my package building environment. The media group is for maintaining shared media files. For example, anybody who is a member of the users group has read access to my shared media files but only a member of the media group can modify tags; add, delete, and edit files; etc.
Most of the remaining accounts in my LAN are members of the following groups:
$USER disk floppy audio video cdrom plugdev scanner users
I have some special accounts that serve restricted purposes and are not a member of the users group. For example, I have a special kiosk account that is a member of only the following groups:
$USER audio video plugdev power
I created the kiosk account with the intention of allowing house guests to use my computers for web browsing but prevent them from snooping around the computers and LAN. The limited groups and specially configured desktop prevent snooping. For example, the kiosk account can download files and insert a USB flash drive but with no file manager availability or desktop icons the guest user needs my help to move the file to the USB device. In other words I will know if a p0rn video was downloaded (and my kiosk login message warns the user of this).
On my home theater PC my primary login account is a member of the following groups:
$USER disk floppy audio video cdrom plugdev power
Like the kiosk account, the desktop is specially configured to restrict traditional desktop computer usage.
Of course, appropriate directory and file permissions are needed to compliment the various group assignments.
Do know there is a 16 group "threshhold." Exceeding that number of groups will not stop the world from spinning but will result in a nagging message during logins.
Quote:
There has to be a way to trace where each group comes from and what the functional and security implications are for belonging to a group.
Sounds like a project for somebody. Would be handy information for the LQ wiki or Slackbook.
Most of those types of groups are for daemons and services, not users.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.