Managing Groups

Groups establish relationships among users in which they share a common set of permissions. An individual cannot read or write to a file owned by another user. But if users are in the same group, they may both read and write to files owned by the group (depending on the group permissions) while retaining the privacy and security of their own files.

Group permissions can be used to facilitate group work on a project involving common files and to control access to devices such as the modem and floppy drive. This approach also represents a secure method of limiting access to system resources to only those users who need them. As an example, the sysadmin could put the users andrew, paul, damon, bernice, mark, and shelley in a new group named unleashed. Those users could each create files intended for their group work and chgrp those files to unleashed.

Now, everyone in the unleashed group but no one else except root can work with those files. The sysadmin would probably create a directory owned by that group so they could have an easily accessed place to store those files. The sysadmin could also add other users like bernice and ildiko to the group and remove existing users when their part of the work is done. The sysadmin could make the user shelley the group administrator so that shelley could decide how group membership should be changed.

Different Unix operating systems implement the group concept in various ways. Fedora uses a scheme called UPG, the User Private Group, in which all users are assigned to a group with their own name by default. (The user's username and group name are identical.) All the groups are listed in /etc/group file.

Here is a partial list of a sample /etc/group file:

 # cat /etc/group root:x:0:root bin:x:1:root,bin,daemon daemon:x:2:root,bin,daemon sys:x:3:root,bin,adm adm:x:4:root,adm,daemon tty:x:5: disk:x:6:root lp:x:7:daemon,lp mem:x:8: kmem:x:9: wheel:x:10:root mail:x:12:mail,postfix news:x:13:news uucp:x:14:uucp man:x:15: games:x:20: gopher:x:30: dip:x:40: ftp:x:50: lock:x:54: nobody:x:99: users:x:100: dbus:x:81: floppy:x:19: vcsa:x:69: nscd:x:28: rpm:x:37: haldaemon:x:68: utmp:x:22: netdump:x:34: slocate:x:21: sshd:x:74: rpc:x:32: rpcuser:x:29: nfsnobody:x:65534: mailnull:x:47: smmsp:x:51: pcap:x:77: apache:x:48: xfs:x:43: ntp:x:38: gdm:x:42: named:x:25: dovecot:x:97: postdrop:x:90: postfix:x:89: andrew:x:500: 

In this example, there are a number of groups, mostly for services (mail, ssh, and so on) and devices (floppy, disk, and so on). As previously mentioned, the system services groups enable those services to have ownership and control of their files. For example, adding postfix to the mail group, as shown previously, enables the postfix application to access mail's files in the manner that mail would decide for group access to its file. Adding a regular user to a device's group permits the regular user to use the device with permissions granted by the group owner. Adding user andrew to the group floppy, for example, would allow andrew to use the floppy drive device. You will learn how to add and remove users from groups in the next section.

Group Management Tools

Fedora provides several command-line tools for managing groups as well as graphical tools. Many experienced sysadmins prefer the command-line tools because they are quick and easy to use and they can be included in scripts if the sysadmin desires to script a repetitive task.

Here are the most commonly used group management command-line tools:

groupadd This command creates and adds a new group.

groupdel This command removes an existing group.

groupmod This command creates a group name or GIDs, but doesn't add or delete members from a group.

gpasswd This command creates a group password. Every group can have a group password and an administrator. Use the -A argument to assign a user as group administrator.

useradd -G The -G argument adds a user to a group during the initial user creation. (More arguments are used to create a user.)

usermod -G This command allows you to add a user to a group as long as the user is not logged in at the time.

grpck A command for checking the /etc/group file for typos.

As an example, there is a CD-RW device (/dev/scd0) on our computer that the sysadmin wants a regular user named shelley to have access to. To grant shelley that access, we would use these steps:

 # groupadd cdrw 

 # chgrp cdrw /dev/scd0 

 # usermod -G cdrw  shelley 

 # gpasswd -A shelley 

Now, the user shelley has permission to use the CD-RW drive, as would anyone else added to the group by the superuser or shelley because she is now also the group administrator and can add users to the group.

The sysadmin can also use the graphical interface that Fedora provides, as shown in Figure 13.1. It is accessed as the Users and Groups item from the System Settings menu item.

Figure 13.1. Just check the box to add a user to a group.

You will note that the full set of group commands and options are not available from the graphical interface, limiting the usefulness of the GUI to a subset of the most frequently used commands. You learn more about using the Fedora User Manager GUI in the next section of this chapter.