Primary and Secondary Groups

Now, let's try and clear up some of the confusion about how the password file relates to the group file, and see where primary and secondary groups come into the picture. We'll do this using the example users and groups listed in Table 3.1. This shows that prim_user and sec_user only have a primary group definition, while the user named both_user is also a member of a secondary group as well.

We've already seen that a user's primary group is defined by that user's entry in /etc/passwd, and that any secondary groups the user is also a member of are defined in /etc/group. For the example users, we'll create the following password and group entries:

 hydrogen# more /etc/passwd <lines removed for clarity> prim_user::200:500::/export/home/prim_user:/bin/ksh sec_user::201:501::/export/home/sec_user:/bin/ksh both_user::202:500::/export/home/both_user:/bin/ksh hydrogen# hydrogen# more /etc/group <lines removed for clarity> prim::500: sec:MzQvs7gYIUVVQ:501:both_user hydrogen# 

We can see from the group file that the one named prim isn't used by anyone as a secondary group. However, the group named sec is the secondary group for the user named both_user; it also has a password set. Now let's su to prim_user, create a file, and check what the ownerships are on it:

 hydrogen# su - prim_user hydrogen$ touch file1 hydrogen$ ls -l total 6 -rw-r--r--   1 prim_user prim       0 Feb 26 10:44 file1 hydrogen$ exit hydrogen# 

As expected, file1 is owned by the user prim_user, and its group ownership is set to its primary group, prim. Now let's do the same for sec_user:

 hydrogen# su - sec_user hydrogen$ touch file1 hydrogen$ ls -l total 6 -rw-r--r--   1 sec_user sec        0 Feb 26 10:46 file2 hydrogen$ exit hydrogen# 

Again, the file has the correct ownerships, as expected. Now, let's try this with both_user. First we'll create a file that will take the user's primary group details. This is the user's default group so it will be set correctly when we log in as both_user.

 hydrogen# su - both_user hydrogen$ touch file3 hydrogen$ ls -l total 6 -rw-r--r--   1 both_user prim       0 Feb 26 10:46 file3 hydrogen$ 

Good. This also works exactly as expected; the file has the correct ownerships. However, we also know that both_user is a member of a secondary group. If we wish to create files owned by members of that group, we can use the newgrp command to switch to it before creating the filejust as we would su to a user if we wanted to carry out any tasks as someone else. Let's do that now:

 hydrogen$ newgrp sec hydrogen$ touch file4 hydrogen$ ls -l total 6 -rw-r--r--   1 both_user prim       0 Feb 26 10:46 file3 -rw-r--r--   1 both_user sec        0 Feb 26 10:47 file4 hydrogen$ exit hydrogen# 

This shows that a different group owns each file, depending on which group we had set as the primary at the time. Notice that both_user wasn't prompted for a password when it ran newgrp. The reason for this is that both_user is a member of the sec group.

Now let's see what happens when a user who isn't a member of that group tries to run the same command:

 hydrogen# su - prim_user $ ls -l total 6 -rw-r--r--   1 prim_user prim        0 Feb 26 10:44 file1 hydrogen$ newgrp sec newgrp: Password <enter group password> hydrogen$ touch file2 hydrogen$ ls -l total 6 -rw-r--r--   1 prim_user prim        0 Feb 26 10:44 file1 -rw-r--r--   1 prim_user sec         0 Feb 26 10:47 file2 hydrogen$ exit hydrogen# 

This time prim_user was prompted for the group password. Assuming we give the correct password, our primary group will be set to the new one (sec) and any files we create will have that group ownership.