10.1. The Boss Wants to Set Up a Special Group of UsersWhen the boss wants to set up a group for a special set of users, such as managers or accountants, you need to know how to create the group, along with a directory accessible only to the user members of that group. To understand what you need to do, it helps to know the baseline user and group settings on various Linux distributions. Then you'll know exactly what you need to do to create a special group on your systems. Linux distributions classify users in different ways. Most distributions configure regular users as members of a single "Users" group. In contrast, Red Hat/Fedora configures users in their own exclusive groups, in the so-called "User Private Group" scheme. The permissions on each user's Red Hat/Fedora home directory keep users from reading files in other users' home directories. What's best? It depends. In some organizations, it can be helpful to allow users to read one another's files. If you're running an ISP, you don't want that. The Red Hat/Fedora scheme can help you keep user files private.
This annoyance assumes you have a single database of users and groups on your network. That database might be on a Network Information System (NIS) server, as defined in http://www.tldp.org/HOWTO/NIS-HOWTO; it could be a part of a Lightweight Directory Access Protocol (LDAP) server, as defined in the book LDAP System Administration by Gerald Carter (O'Reilly); it could even be a part of a Microsoft user database and accessed through Samba (see Using Samba by Jay Ts et al., also published by O'Reilly). For the purpose of this annoyance, I'm assuming that the database works through standard authentication schemes on one Linux computer, as configured in files such as /etc/passwd and /etc/group, and with defaults in /etc/default/useradd and /etc/login.defs. Now I'll define how user schemes work on standard and Red Hat/Fedora Linux distributions. Then I can show you how to create a special group on any Linux distribution. 10.1.1. The Standard User SchemeLinux distributions normally configure all users in the same group. In other words, all users are assigned the same Group ID (GID), which happens to be 100. You can confirm group memberships, also known as GIDs, in /etc/passwd and /etc/group. They are defined in the fourth column in /etc/passwd. As an example, I've taken the following excerpt from one of my /etc/passwd files. Users michael and editor both belong to the same group, with a GID of 100: michael:x:1000:100:author,,,:/home/michael:/bin/bash editor:x:1001:100:editor,,,:/home/editor:/bin/bash You may recall that permissions for files and directories are classified by owner, group, and others. While this provides the opportunity to help users share their files, that is not enough. By default on our distributions, users have only read access on the files of other users in the same group. For example, when I create laforgeeks-ch10.sxw on my home directory, it has the following permissions, as defined by an ls -l command: -rw-r--r-- 1 michael users 40800 2005-09-28 18:07 laforgeeks-ch10.sxw In other words, even if user editor is also a member of the users group, she can only read the noted file. To allow the editor to make changes to that file, the owner would have to change the permissions. A user who wants to allow others to write to his files has to modify the associated permissions. Fortunately, the owner has the right to change the permissions on his own files with a command such as: chmod 664 laforgeeks-ch10.sxw Few regular users understand the chmod command. But users can change permissions in GUI file browsers such as Nautilus and Konqueror. All they need to do is right-click on the desired file, select Properties from the pop-up menu, and change group permissions so the group can write to the file. Unfortunately, this method makes the file writable to everybody in the general-users groupeveryone with a regular account on that system. You may not want to let everyone write to your files. To address these issues, I'll describe a special group scheme and procedures later in this annoyance. You may also want to configure limits on how much disk space can be occupied by a particular group. You can do this with group-based quotas, as defined in the "Some User Is Taking Too Much Disk Space" annoyance later in this chapter. 10.1.2. The Red Hat User Private Group SchemeRed Hat/Fedora configures users differently from most Linux distributions. Every time a new user is created on a Red Hat system, he's assigned as the only member of his own private group. For example, on my Red Hat Enterprise Linux 4 computer, I have the following entries: donna:x:501:501::/home/donna:/bin/bash nancy:x:502:502::/home/nancy:/bin/bash The third and fourth columns specify the user and group IDs. As you can see, the user and group IDs are the same for each user. In other words, both donna and nancy are members of their own special groups. In addition, you'll find that the permissions are limited on home directories on Red Hat/Fedora distributions; for example, when I run the ls -l /home command, I get the following output: drwx------ 3 donna donna 4096 Jul 5 16:41 donna drwx------ 38 michael michael 4096 Sep 29 10:38 michael drwx------ 2 nancy nancy 4096 Jul 22 18:18 nancy drwx------ 4 randy randy 4096 Jul 22 17:57 randy In other words, read, write, and execute permissions on user home directories are limited to that user. As a consequence, when I log in as user michael and try to list the contents of user nancy's home directory, I get the following message: ls: /home/nancy: Permission denied In contrast, if you examine the permissions on SUSE or Debian-based home directories, you'll find that permissions aren't so limited, and users can read the contents of other users' home directories. While the Red Hat User Private Group scheme does help keep user files secure, it does not encourage collaboration. When there's a need for any shared work, you'll have to take some special steps, but these are different from the steps necessary on other Linux distributions. 10.1.3. Configuring a Special GroupThere are many reasons why you might configure a special group. Accountants may want to share their files with one another but keep their files secure from regular users. Supervisors may want to keep employee evaluations confidential. Team members on a special project may need to share information without interference from other employees. Whatever the reason, configuring a special group requires:
As an example, I'll illustrate how you can set up a special group for users who want to share their secrets in wine making. I'll call the group winos and make users napa, sonoma, willamette, and columbia part of this group. To do so, I take the following steps:
Now you can provide instructions to users in your special group on how they can share and access files in the directory that you've created. If multiple users are adding information to a shared file simultaneously, it's important that they open the file from the shared directory, using the same application. When one user has opened this file, Linux applications create a temporary, hidden "lock file" that prevents other users from writing to the file. Other users can still open the file with read-only settings. You'll need to inform your users that a read-only message means someone else has opened that file, and that they should wait until the other person closes the file. But before you let your users open shared files, test them with the applications that they'll use. Make sure the lock mechanism works. Log in as two different users in your special group. Open a file in the shared directory. If the lock mechanism works, the second user that opens the file gets read-only access. Unfortunately, file locking is disabled in the OpenOffice.org 1.x suite. As of this writing, it doesn't work for the OpenOffice.org 2.0.x suite. A fix is scheduled for OpenOffice.org 2.0.3, which is scheduled to be released about the time this book reaches the shelves. For more information, see OpenOffice.org bug 57712. |