Groups of Users | Absolute OpenBSD: Unix for the Practical Paranoid

UNIX classifies users into groups, each group consisting of people who perform similar administrative functions. A sysadmin can define a group called "www," add the people who edit web pages to that group, and give that group permission to read and write to web-related files. He could also create a group called "email," add the email administrators to that file, and set permissions on mail-related files so that users in that group can edit those files. Using groups in this manner is a powerful and oft-neglected tool for systems management.

What Groups Are You In?

Any user can identify the groups he has been assigned to with id(1). This command tells you which user you are logged in as and which groups you belong to. It also prints the numerical identifiers for your user ID (uid) and any groups you are assigned to (gid).

 # id uid=1000(mwlucas) gid=1000(mwlucas) groups=1000(mwlucas), 0(wheel) #

If you are one of those lucky users who may use the root password to become the superuser, id(1) will tell you if you have done so and are in a root shell. (If you're running several X terminals on a UNIX desktop, it's quite easy to forget which window has your root shell in it.)

 # id uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest) #

As you can see, root is a member of several groups by default. id(1) has several options, but they trim the output rather than provide additional information. If you want to only know the names of the groups you've been assigned to, for example, you could use "id -Gn". While this is useful for scripts, id's output is small enough that most people find it easier to skim the output for desired information than remember the options.

The id(1) command pulls this information from /etc/group.

/etc/group

The file /etc/group defines most group information. While the syntax of this file is fairly easy to understand, OpenBSD also provides some command-line tools to edit it. I generally find the /etc/group syntax simple enough to handle that I skip the command-line tools. If you're interested, the command-line tools are groupadd(8), groupdel(8), groupinfo(8), and groupmod(8). In most cases, it's just as easy to edit /etc/group directly. Each line in /etc/group contains four colon-delimited fields: the group name, the group password, the group ID, and a list of members. Here's a sample entry:

 1 wheel: 2 *: 3 0: 4 root,mwlucas,chris

The 1 group name is a user-friendly name for the group. In our example, the group is named "wheel." Group names are fairly arbitrary: You could call a certain group of users "bucksnort" if you wished. It's a good idea to choose group names that give you some idea of what they're for; while you might remember that the group "bucksnort" is intended for email system managers, will your coworkers understand that? Choose group names that mean something.

The 2 second field contains the group's encrypted password. Group passwords encouraged poor security practices, so most modern UNIXes don't support them. OpenBSD certainly doesn't do anything with group passwords. Some old software expects to find a password field in /etc/groups, however. Rather than leave this field blank or remove it entirely, we use an asterisk (*) as a place-holder, as in our example.

The 3 third field holds the group's unique numeric ID (gid). Many programs use the GID, rather than names, to identify groups. The "wheel" group has a gid of 0.

Last is a 4 comma-delimited list of all the users in that group. The users root, mwlucas, and chris are members of the group wheel.

Primary Group

When you create a new user the system creates a group that contains just that user, and it has the same name as the user. This is the user's "primary group." A user is automatically a member of his or her primary group, as listed in /etc/passwd. Some programs can be configured to treat users differently based on their primary group, rather than just general group membership.

Changing Group Memberships

If you want to add a user to a group, all you need to do is add their username to the end of the line for that group. For example, if I wanted to add "phil" to the "wheel" group, I would add ",phil" to the wheel group description. ^[3]

 wheel:*:0:root,mwlucas,chris,phil

Creating Groups

To create a new group, all you need is a name for the group and a group ID number. Technically, you don't even need a member for the group; some programs run as a member of a group, and the system uses the group permissions to control those programs just as users are controlled.

Traditionally, their group ID lists groups in order. The gid is an arbitrary number between 0 and 32,767. Generally speaking, group IDs below 1,000 are reserved for system administrator use. Programs that need a dedicated group ID usually use one in this range. User accounts have group IDs starting at 1,000 and going up. Some special groups start numbering at 32,767 and go down.

You can use any gid you want, but adhering to the standards will make life easier on your coworkers and successors.

So, let's add a group. This sample group is for a database program, so I'm going to call it "db." I'm arbitrarily adding this custom group with a gid of 5,000, and will start numbering these custom groups from there. I'll add our database administrator, phil, to this group.

 db:*:5000:phil

That's it!

^[3]Mind you, Phil would have to drug me into complete insensibility before I would add him to wheel. But that's an administrative decision, not a technical one.