Certification Objective 11.02: Red Hat User Private Group Scheme

One major difference between Red Hat Enterprise Linux 3 and non-Red Hat Linux or Unix distributions is how new users are assigned to groups. A Linux group allows its members to share files. Unfortunately, that also means everyone in the same primary group has access to the home directories of all other group members. Users may not always want to share the files in their home directories with others. For example, if you're setting up an ISP, your users pay for their privacy.

On the other hand, Red Hat Enterprise Linux normally gives each user a unique user ID and group ID in /etc/passwd. This is known as the user private group scheme. As users get exclusive access to their own groups, they don't have to worry about other users reading the files in their home directories.

Standard and Red Hat Groups

Traditionally, users are assigned to one or more groups such as users in /etc/group. For example, you might configure accgrp for the accounting department and infosys for the information systems department in your company.

If you have access to one of these other versions of Unix or Linux, check the third and fourth fields in /etc/passwd. Many users will have the same fourth field, which represents their primary group. Then, when you create a new user, each account receives a unique user ID but shares the same group ID with other users in the acct group. Users can still belong to other groups as well.

In RHEL 3, each user gets their own special private group by default. As you probably noticed in Chapter 4, user IDs and group IDs by default start at 500, match, and proceed in ascending order.

By default in RHEL 3, all regular users have a umask of 0002. If you are coming from a traditional Unix environment, you may be concerned. With the traditional user/group scheme, any member of that user's primary group will automatically have write access to any file that the user creates in his home directory.

This is the advantage behind the user private group scheme. Since every user account is the only member in its own private group, having the umask set to 002 does not affect file security. This provides advantages for systems such as Internet Service Providers, where you don't want users to have access to each other's files.

Shared Directories

Most people work in groups. They may share files. You can give a group of users access to a specific user's home directory or you can set up a shared directory for a group.

When you configure a shared directory, you can set up a group owner, and then add the users you need to that group, through the /etc/group configuration file. When you set the group ID bit (SGID) on this directory, any file created in this directory inherits the group ID. Assuming you have set appropriate permissions, all members of this group can then access files in that the directory.

There are several basic steps required to create a useful shared directory. For example, assume you want to set up a shared directory, /home/accshared, for the accountants in your organization. To set this up, you'll want to take the following steps:

1. Create the shared directory:

   # mkdir /home/accshared

2. Create a group with the users in your accounting department. Give it a group ID that doesn't interfere with existing group or user IDs. One way to do this is to add a line such as the following to your /etc/group file. You could also create this kind of group using the Red Hat User Manager described in Chapter 4. Note that the name of this new group is accgrp.

   accgrp:x:5000:stewardh,jamiec,davidw,debl,callend,vanessar

3. Set up appropriate ownership for the new shared directory. The following command prevents any specific user from taking control of the directory, and assigns group ownership to accgrp.

   # chmod 2770 /home/accshared

Any user who is a member of the accgrp group can now create files in the /home/accshared directory. Any files generated will then be associated with the accgrp group ID, and all users listed as members of accgrp in the /etc/group file will have read, write, and execute access to the /home/accshared directory.

What makes this possible are the permissions that you've assigned to the /home/accshared directory: 2770. Let's break this down into its component parts.

The first digit (2) is the set group ID bit, also known as the SGID bit. When you set the SGID bit for a directory, any files created in that directory automatically have their group ownership set to be that of the group owner of the directory. There are two ways to set the SGID bit for the /home/accshared directory:

chmod g+s /home/accshared

or alternatively:

chmod 2770 /home/accshared

Setting the SGID bit solves the problem of making sure all files created in a shared directory belong to the correct group-as long as the umask is set properly.

The remaining digits are basic knowledge for any experienced Linux or Unix user. The 770 sets read, write, and execute permissions for the user and group that owns the directory. But since the user owner is nobody, the group owner is what counts. In other words, members of the accgrp group gain read, write, and execute permissions to files created in this directory.

Otherwise, users who are members of accgrp and belong to another primary group would have to remember to use the chgrp command on every file they put in /home/accshared. While clumsy, that command allows other users in that group to access the file.

Exercise 11-2: Controlling Group Ownership with the SGID Bit

In this exercise, you will create new files in a directory where the SGID bit is set.

1. Add users called test1, test2, and test3. Check the /etc/passwd and /etc/group files to verify that each user's private group was created:

   # useradd test1; passwd test1 # useradd test2; passwd test2 # useradd test3; passwd test3

2. Edit the /etc/group file and add a group called tg1. Make the test1 and test2 accounts a member of this group. You could add the following line to /etc/group directly or use the Red Hat User Manager:

   tg1::9999:test1,test2

   Before you proceed, make sure the group ID you assign to group tg1 (in this case, 9999) is not already in use.

3. Create a shared director for the tg1 group:

   # mkdir  /home/testshared

4. Change the user and group ownership of the shared directory:

   # chown  nobody.tg1  /home/testshared

5. Log in as test1 and test2 separately. Change the directory to the testshared directory and try to create a file. Two ways to do so are with the following commands. What happens?

   $ date >> test.txt $ touch abcd 

6. Now as the root user, set group write permissions on the testshared directory.

   # chmod 770 /home/testshared

7. Log in again as user test1, and then try to create a file in the new directory. So far, so good.

   $ cd /home/testshared $ date >> test.txt $ ls -l test.txt

8. Now check the ownership on the new file. Do you think other users in the tg1 group can access this file?

   $ ls -l

9. From the root account, set the SGID bit on the directory:

   # chmod g+s  /home/testshared

10. Switch back to the test1 account and create another file. Check the ownership on this file. Do you think that user test2 can now access this file?

    $ date >> testb.txt $ ls  -l

11. Now log in as the test2 account. Go into the /home/testshared directory, create a different file, and use ls -l to check permissions and ownership again.

12. Switch to the test3 account and check whether you can or cannot create files in this directory, and whether you can or cannot view the files in this directory.