Managing Groups | Red Hat Fedora 5 Unleashed

Groups can make managing users a lot easier. Rather than having to assign individual permissions to every user, you can use groups to grant or revoke permissions to a large number of users quickly and easily. Setting group permissions allows you to set up workspaces for collaborative working and also to control what devices can be used, such as external drives or DVD writers. This approach also represents a secure method of limiting access to system resources to only those users who need them. As an example, the sysadmin could put the users andrew, paul, damon, bernice, mark, and shelley in a new group named unleashed. Those users could each create files intended for their group work and chgrp those files to unleashed.

Now, everyone in the unleashed groupbut no one else except rootcan work with those files. The sysadmin would probably create a directory owned by that group so its members could have an easily accessed place to store those files. The sysadmin could also add other users like bernice and ildiko to the group and remove existing users when their part of the work is done. The sysadmin could make the user andrew the group administrator so that andrew could decide how group membership should be changed. You could also put restrictions on the DVD writer so that only andrew could burn DVDs, thus protecting sensitive material from falling into the wrong hands.

Different UNIX operating systems implement the group concept in various ways. Fedora uses a scheme called UPG, the User Private Group, in which all users are assigned to a group with their own name by default. (The user's username and group name are identical.) All the groups are listed in /etc/group file. Here is a partial list of a sample /etc/group file:

# cat /etc/group root:x:0:root bin:x:1:root,bin,daemon daemon:x:2:root,bin,daemon sys:x:3:root,bin,adm adm:x:4:root,adm,daemon tty:x:5: disk:x:6:root lp:x:7:daemon,lp mem:x:8: kmem:x:9: wheel:x:10:root mail:x:12:mail,postfix news:x:13:news uucp:x:14:uucp man:x:15: games:x:20: gopher:x:30: dip:x:40: ftp:x:50: lock:x:54: nobody:x:99: users:x:100: dbus:x:81: floppy:x:19: vcsa:x:69: nscd:x:28: rpm:x:37: haldaemon:x:68: utmp:x:22: netdump:x:34: slocate:x:21: sshd:x:74: rpc:x:32: rpcuser:x:29: nfsnobody:x:65534: mailnull:x:47: smmsp:x:51: pcap:x:77: apache:x:48: xfs:x:43: ntp:x:38: gdm:x:42: named:x:25: dovecot:x:97: postdrop:x:90: postfix:x:89: andrew:x:500:

In this example, there are a number of groups, mostly for services (mail, ssh, and so on) and devices (floppy, disk, and so on). As previously mentioned, the system services groups enable those services to have ownership and control of their files. For example, adding postfix to the mail group, as shown previously, enables the postfix application to access mail's files in the manner that mail would decide for group access to its file. Adding a regular user to a device's group permits the regular user to use the device with permissions granted by the group owner. Adding user andrew to the group floppy, for example, would allow andrew to use the floppy drive device. You will learn how to add and remove users from groups in the next section.

Group Management Tools

Fedora provides several command-line tools for managing groups as well as graphical tools. Many experienced sysadmins prefer the command-line tools because they are quick and easy to use and they can be included in scripts if the sysadmin desires to script a repetitive task. Here are the most commonly used group management command-line tools:

groupadd This command creates and adds a new group.
groupdel This command removes an existing group.
groupmod This command creates a group name or GIDs, but doesn't add or delete members from a group.
gpasswd This command creates a group password. Every group can have a group password and an administrator. Use the -A argument to assign a user as group administrator.
useradd -G The -G argument adds a user to a group during the initial user creation. (More arguments are used to create a user.)
usermod -G This command allows you to add a user to a group as long as the user is not logged in at the time.
grpck A command for checking the /etc/group file for typos.

As an example, there is a DVD-RW device (/dev/scd0) on our computer that the sysadmin wants a regular user named shelley to have access to. To grant shelley that access, we would use these steps:

1.	Add a new group with the `groupadd` command: # groupadd dvdrw
2.	Change the group ownership of the device to the new group with the `chgrp` command: # chgrp dvdrw /dev/scd0
3.	Add the approved user to the group with the `usermod` command: # usermod -G dvdrw shelley
4.	Make user `shelley` the group administrator with the `gpasswd` command so that she can add new users to the group: # gpasswd -A shelley

Now, the user shelley has permission to use the DVD-RW drive, as would anyone else added to the group by the super-user or shelley because she is now also the group administrator and can add users to the group.

The sysadmin can also use the graphical interface that Fedora provides, as shown in Figure 14.1. It is accessed as the Users and Groups item from the Administration menu item.

Figure 14.1. Just check the box to add a user to a group.

You will note that the full set of group commands and options are not available from the graphical interface, limiting the usefulness of the GUI to a subset of the most frequently used commands. You learn more about using the Fedora User Manager GUI in the next section of this chapter.