Creating and Using Linux Groups
User accounts are great for controlling security for individual users, but they aren’t so good at allowing groups of users to share resources. To accomplish this, the Linux system uses another security concept, called groups.
Group permissions allow multiple users to share a common set of permissions for an object on the system, such as a file, directory, or device (more on that later in the “Decoding File Permissions” section).
Linux distributions differ somewhat on how they handle default group memberships. Some Linux distributions create just one group that contains all the user accounts as members. You need to be careful if your Linux distribution does this, because your files may be readable by all other users on the system. Other distributions create a separate group account for each user to provide a little more security.
Each group has a unique GID, which, like UIDs, is a unique numerical value on the system. Along with the GID, each group has a unique group name. You can use some group utilities to create and manage your own groups on the Linux system. This section discusses how group information is stored and how to use the group utilities to create new groups and modify existing groups.
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
rich:x:500:
mama:x:501:
katie:x:502:
jessica:x:503:
mysql:x:27:
test:x:504:
Like UIDs, GIDs are assigned using a special format. Groups used for system accounts are
assigned GIDs below 500, and user groups are assigned GIDs starting at 500. The
/etc/group file uses four fields:
The group password allows a non-group member to temporarily become a member of the group by using the password. This feature is not used all that commonly, but it does exist.
You should never add users to groups by editing the /etc/group file. Instead, use the usermod command (discussed earlier in the “Linux Security” section) to add a user account to a group. Before you can add users to different groups, you must create the groups.
# /usr/sbin/groupadd shared
# tail /etc/group
haldaemon:x:68:
xfs:x:43:
gdm:x:42:
rich:x:500:
mama:x:501:
katie:x:502:
jessica:x:503:
mysql:x:27:
test:x:504:
shared:x:505:
#
When you create a new group, no users are assigned to it by default. The groupadd
command doesn’t provide an option for adding user accounts to the group. Instead, to add
new users, use the usermod command:
# /usr/sbin/usermod -G shared rich
# /usr/sbin/usermod -G shared test
# tail /etc/group
haldaemon:x:68:
xfs:x:43:
gdm:x:42:
rich:x:500:
mama:x:501:
katie:x:502:
jessica:x:503:
mysql:x:27:
test:x:504:
shared:x:505:rich, test
#
The shared group now has two members, test and rich. The -G parameter in usermod appends the new group to the list of groups for the user account.
As you can see from the /etc/group file, you don’t need to modify much information about a group. The groupmod command allows you to change the GID (using the -g parameter) or the group name (using the -n parameter) of an existing group:
# /usr/sbin/groupmod -n sharing shared
# tail /etc/group
haldaemon:x:68:
xfs:x:43:
gdm:x:42:
rich:x:500:
mama:x:501:
katie:x:502:
jessica:x:503:
mysql:x:27:
test:x:504:
sharing:x:505:test,rich
#
When changing the name of a group, the GID and group members remain the same, only the group name changes. Because all security permissions are based on the GID, you can change the name of a group as often as you wish without adversely affecting file security.
Group permissions allow multiple users to share a common set of permissions for an object on the system, such as a file, directory, or device (more on that later in the “Decoding File Permissions” section).
Creating and Using Linux Groups |
Linux distributions differ somewhat on how they handle default group memberships. Some Linux distributions create just one group that contains all the user accounts as members. You need to be careful if your Linux distribution does this, because your files may be readable by all other users on the system. Other distributions create a separate group account for each user to provide a little more security.
Each group has a unique GID, which, like UIDs, is a unique numerical value on the system. Along with the GID, each group has a unique group name. You can use some group utilities to create and manage your own groups on the Linux system. This section discusses how group information is stored and how to use the group utilities to create new groups and modify existing groups.
The /etc/group file
Just like user accounts, group information is stored in a file on the system. The /etc/group file contains information about each group used on the system. These are examples from a typical /etc/group file on a Linux system:root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
rich:x:500:
mama:x:501:
katie:x:502:
jessica:x:503:
mysql:x:27:
test:x:504:
Like UIDs, GIDs are assigned using a special format. Groups used for system accounts are
assigned GIDs below 500, and user groups are assigned GIDs starting at 500. The
/etc/group file uses four fields:
- The group name
- The group password
- The GID
- The list of user accounts that belong to the group
The group password allows a non-group member to temporarily become a member of the group by using the password. This feature is not used all that commonly, but it does exist.
You should never add users to groups by editing the /etc/group file. Instead, use the usermod command (discussed earlier in the “Linux Security” section) to add a user account to a group. Before you can add users to different groups, you must create the groups.
Note
The list of user accounts is somewhat misleading. You’ll notice that there are several groups in the list that don’t have any users listed. This isn’t because they don’t have any members. When a user account uses a group as the default group in the /etc/passwd file, the user account doesn’t appear in the /etc/group file as a member. This has caused confusion for more than one system administrator over the years!
Creating new groups
The groupadd command allows you to create new groups on your system:# /usr/sbin/groupadd shared
# tail /etc/group
haldaemon:x:68:
xfs:x:43:
gdm:x:42:
rich:x:500:
mama:x:501:
katie:x:502:
jessica:x:503:
mysql:x:27:
test:x:504:
shared:x:505:
#
When you create a new group, no users are assigned to it by default. The groupadd
command doesn’t provide an option for adding user accounts to the group. Instead, to add
new users, use the usermod command:
# /usr/sbin/usermod -G shared rich
# /usr/sbin/usermod -G shared test
# tail /etc/group
haldaemon:x:68:
xfs:x:43:
gdm:x:42:
rich:x:500:
mama:x:501:
katie:x:502:
jessica:x:503:
mysql:x:27:
test:x:504:
shared:x:505:rich, test
#
The shared group now has two members, test and rich. The -G parameter in usermod appends the new group to the list of groups for the user account.
Note
If you change the user groups for an account that is currently logged into the system, the user must log out and then log back in for the group changes to take effect.
Caution
Be careful when assigning groups for user accounts. If you use the -g parameter, the group name you specify replaces the default group for the user account. The -G parameter adds the group to the list of groups the user belongs to, keeping the default group intact.
As you can see from the /etc/group file, you don’t need to modify much information about a group. The groupmod command allows you to change the GID (using the -g parameter) or the group name (using the -n parameter) of an existing group:
# /usr/sbin/groupmod -n sharing shared
# tail /etc/group
haldaemon:x:68:
xfs:x:43:
gdm:x:42:
rich:x:500:
mama:x:501:
katie:x:502:
jessica:x:503:
mysql:x:27:
test:x:504:
sharing:x:505:test,rich
#
When changing the name of a group, the GID and group members remain the same, only the group name changes. Because all security permissions are based on the GID, you can change the name of a group as often as you wish without adversely affecting file security.
0 Response to "Creating and Using Linux Groups"
Post a Comment