SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
What does it mean to have a '*' as the second field (with ':' delimiter) for a group record in /etc/group? There is also a user name with the same name as that group, being a member of it, also of group users. Exemple:
Did some further digging and came up with this from the gshadow man page:
Quote:
If the password field contains some string that is not a valid
result of crypt(3), for instance ! or *, users will not be able to
use a unix password to access the group (but group members do not
need the password).
I have one group to which I've assigned a password. It's handy for when you want your user to be able to write to certain directories only when you explicitly allow it by logging into a group that you're not normally a member of.
As for the field in question.
In /etc/passwd, or /etc/group 'x' normally signifies that shadow files are being used and the real entry is in /etc/shadow, /etc/gshadow.
Within the shadow files
x signifies that you can't login with a password
* as above but also signifies that the user or group is a 'system' group (i.e. one that is necessary for correct system operation and shouldn't be removed)
! signifies that an account/group has been locked (it is usually followed by the password hash.
In practice there is little difference between 'x' and '*', it's just documentary.
BTW, for some reason slackware's /etc/gshadow file is missing the standard groups You can fix this by running the grpck command as root (though this will tag all the groups as 'x' rather than '*')
Very interesting and complete explanations, thanks very much. Still the question that comes into my mind is: why is that group marked as system group, maybe because it was the first user group created, when creating first normal user, which has the same name as that group name, with User Manager (kuser)?
This deals with adding a password to a group. I haven't come across this in real life in all the years I've been using Unix/Linux.
I looked at the group man page to see how Linux may vary from UNIX regarding this file. I don't want to promote sloppy system administration practices but I found the comment in the group man page interesting.
Quote:
BUGS
As the 4.2BSD initgroups(3) man page says: No-one seems to keep /etc/group up-to-date.
Like GaZL I've found occasions (in a previous life) to set a group password. It appears to be a dying and forgotten practice.
I looked at the group man page to see how Linux may vary from UNIX regarding this file. I don't want to promote sloppy system administration practices but I found the comment in the group man page interesting.
Which comment? If you are talking about the password field being empty: Remember that the shadow suite is being used as well.
Quote:
Like GaZL I've found occasions (in a previous life) to set a group password. It appears to be a dying and forgotten practice.
As mentioned in one of the links I posted previously:
Quote:
Some of the disadvantages are:
Sharing a password is not good; a password should be personal.
You can also solve this by adding the user to a secondary group.
Another way to solve it is to use sudo.
Usage of the group password is not accountable.
I'm guessing that this feature was introduced in a time that people were more trustworthy Better and more secure solutions are present/needed in this day and age.....
In my post I included the quoted "comment" I was referring to.
Perhaps "comment" was the wrong choice of words in my post. But when someone uses a phrase such as "No-one seems ..." I think of that more as a comment than a technical specification. Now, to be more precise, In my post I was referring to the "text" found in section 5 of the man pages for GROUP (the general topic of this thread). I quoted the text found in the BUGS section of that man page. Please type "man group" in a terminal on Slack64-14.0 with the proper path set up to see common man pages and you'll see it there. I don't know how else to explain what I thought was simply an interesting observation that I hadn't noticed before.
I was trying to reinforce your statement (that I quoted in my previous post) about your not needing the group password feature by my noting the lack of attention to even the maintenance the group file as mentioned in the man page reference. Based on your question I must not have done a very good job of communicating my thoughts in my previous post.
My simple previous post is not worth all the text I just now typed trying to explain it.
Quote:
Originally Posted by druuna
Sharing a password is not good; a password should be personal.
One can argue the point of what constitutes good security and whether "groups" are the proper way to implement a particular security requirement, but the author of the link you quoted may be missing the full picture of how groups are/were used in *NIX systems. A "group" has a shared responsibility/authority among its members.
Quote:
Originally Posted by druuna
As mentioned in one of the links I posted previously: I'm guessing that this feature was introduced in a time that people were more trustworthy Better and more secure solutions are present/needed in this day and age.....
I look at group membership and group passwords as just another option for controlling access, along with custom programs, multiple login accounts, and in more modern times, ACLs and sudo. You still have to know the password to change to password protected groups (unless Linux works differently) so it's not a completely trusting option. A group password can protect the system from an authorized user making mistakes or running an unknowingly destructive program, by not giving that authorized user the proper permissions unless needed for the operation. Similar to how sudo is used by many today. I got the impression that this principle of least privilege is the purpose to which GazL applies group passwords.
Group passwords are just a (now apparently forgotten) option, not a panacea.
My use of group passwords is in order to follow the principle of least-privilege. I am the only one who will know the group's password, there will be no sharing and as such the auditing and accountability issues are not relevant. Use of a permanent secondary group would not achieve what I'm after (a temporary raise in privilege).
I'll have to look into 'sudo -g' and see if that would be an alternative approach but as auditing isn't a consideration for me there is little to be gained by complicating things.
Group passwords should not be avoided simply because dogma says they're bad. If they fit the situation and their weaknesses aren't relevant then I see no problem with using them.
edit:
@Tracy, Sorry I hadn't read your post before replying, looks like you understand me well.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.