Managing Groups

Groups can make managing users a lot easier. Instead of having to assign individual permissions to every user, you can use groups to grant or revoke permissions to a large number of users quickly and easily. Setting group permissions allows you to set up workspaces for collaborative working and to control what devices can be used, such as external drives or DVD writers. This approach also represents a secure method of limiting access to system resources to only those users who need them. As an example, the sysadmin could put the users andrew, paul, damon, bernice, mark, and shelley in a new group named unleashed. Those users could each create files intended for their group work and chgrp those files to unleashed.

Now, everyone in the unleashed groupbut no one else except rootcan work with those files. The sysadmin would probably create a directory owned by that group so that its members could have an easily accessed place to store those files. The sysadmin could also add other users such as bernice and ildiko to the group and remove existing users when their part of the work is done. The sysadmin could make the user andrew the group administrator so that andrew could decide how group membership should be changed. You could also put restrictions on the DVD writer so that only andrew could burn DVDs, thus protecting sensitive material from falling into the wrong hands.

Different UNIX operating systems implement the group concept in various ways. Ubuntu uses a scheme called UPG, the user private group, in which all users are assigned to a group with their own name by default. (The user's username and group name are identical.) All the groups are listed in /etc/group file.

Here is a partial list of a sample /etc/group file:

$ sudo cat /etc/group root:x:0: daemon:x:1: bin:x:2: sys:x:3: adm:x:4:andrew tty:x:5: disk:x:6: lp:x:7:cupsys mail:x:8: news:x:9: uucp:x:10: man:x:12: proxy:x:13: kmem:x:15: dialout:x:20:cupsys,andrew fax:x:21: voice:x:22: cdrom:x:24:haldaemon,andrew floppy:x:25:haldaemon,andrew tape:x:26: sudo:x:27: audio:x:29:andrew dip:x:30:andrew www-data:x:33: backup:x:34: operator:x:37: list:x:38: irc:x:39: src:x:40: gnats:x:41: shadow:x:42: utmp:x:43: video:x:44:andrew sasl:x:45: plugdev:x:46:haldaemon,andrew staff:x:50: games:x:60: users:x:100: nogroup:x:65534: dhcp:x:101: syslog:x:102: klog:x:103: crontab:x:104: ssh:x:105: lpadmin:x:106:andrew messagebus:x:107: haldaemon:x:108: slocate:x:109: scanner:x:110:cupsys,andrew gdm:x:111: andrew:x:1000: admin:x:112:andrew 

This example contains a number of groups, mostly for services (mail, news, and so on) and devices (floppy, disk, and so on). As previously mentioned, the system services groups enable those services to have ownership and control of their files. For example, adding postfix to the mail group, as shown previously, enables the postfix application to access mail's files in the manner that mail would decide for group access to its file. Adding a regular user to a device's group permits the regular user to use the device with permissions granted by the group owner. Adding user andrew to the group floppy, for example, would allow andrew to use the floppy drive device. You learn how to add and remove users from groups in the next section.

Group Management Tools

Ubuntu provides several command-line tools for managing groups, but also provides graphical tools for such. Many experienced sysadmins prefer the command-line tools because they are quick and easy to use and can be included in scripts if the sysadmin desires to script a repetitive task.

Here are the most commonly used group management command-line tools:

groupadd This command creates and adds a new group.

groupdel This command removes an existing group.

groupmod This command creates a group name or GIDs but doesn't add or delete members from a group.

gpasswd This command creates a group password. Every group can have a group password and an administrator. Use the -A argument to assign a user as group administrator.

useradd -G The -G argument adds a user to a group during the initial user creation. (More arguments are used to create a user.)

usermod -G This command allows you to add a user to a group so long as the user is not logged in at the time.

grpck A command for checking the /etc/group file for typos.

As an example, there is a DVD-RW device (/dev/scd0) on our computer that the sysadmin wants a regular user named shelley to have access to. To grant shelley that access, we would follow these steps:

# groupadd dvdrw 

# chgrp dvdrw /dev/scd0 

# usermod -G dvdrw shelley 

# gpasswd -A shelley 

Now, the user shelley has permission to use the DVD-RW drive, as would anyone else added to the group by the super user or shelley because she is now also the group administrator and can add users to the group.

The sysadmin can also use the graphical interface that Ubuntu provides, as shown in Figure 14.1. It is accessed as the Users and Groups item from the Administration menu item.

Note that the full set of group commands and options are not available from the graphical interface, limiting the usefulness of the GUI to a subset of the most frequently used commands. You learn more about using the Ubuntu User Manager GUI in the next section of this chapter.