Understanding the Group ID

The GID field is used to identify the primary group to which the new user belongs. When a Linux system is first installed, several groups are included, most of which are either administrative groups, such as adm and daemon, or groups belonging to specific services, such as news and mail. users is a catch-all group for all users.

When you use an administrative tool to create a user account, the tool assigns a group for the user if you don't select one. On some systems, such as Slackware, the tool defaults to the group users. On a Red Hat system, the default is to create a brand-new group that contains only the new user as a member. Neither approach is exactly right for all cases.

The group ID, like the user ID, is used for filesystem security. On Linux systems, there are three levels of file permissions: ownership privileges, group privileges, and world privileges. If everyone is included in the same group, as is the case when everyone is placed in the users group, then everyone has the same group privileges when attempting to access anyone's files. In effect, group privileges are no different from world privileges. This defeats the purpose of the group ID, which is to allow groups to share files while protecting those files from people who are not in the group.

Likewise, if a group is created that contains only one user, the purpose of the group ID is defeated—there is no point in having group privileges if there is no group. The owner of a file already has access privileges for the file based on the UID, so the GID is unnecessary when the group is one. Using this approach, group privileges are no different from ownership privileges.

To make the most effective use of group IDs, you need to create groups. Develop a plan for the group structure you will use on your network. This plan doesn't need to be complicated. Most network administrators use an organizational group structure in which people in the same work group are members of the same GID. A more complex structure, based on projects, is also possible. Be careful, however, not to create a structure that requires lots of maintenance. Projects come and go, and you don't want to get into a situation in which you are constantly changing groups and moving files for users.

Note For full NFS support, the group structure plan needs to be coordinated among the systems on your network. See Chapter 9 for information on planning and coordinating a group structure.

Creating New Groups To create a group, add an entry for the new group in the /etc/group file. Every group has one entry in the file, and all of the entries have the same format, name:password:gid:users, where

• password is not usually used. Leave it blank, or fill it with a placeholder such as x.

• gid is the numeric group identifier. It is a number between 0 and 65536. GID 0 is used for the root group. Most administrators reserve the numbers below 100 for special groups.

• users is a comma-separated list of users assigned to this group. The primary group of a user is assigned in the /etc/passwd file. /etc/group assigns supplemental groups to a user.

Some examples from the /etc/group file on a Red Hat system illustrate this structure.

Listing 3.10: Examples from the /etc/group File root:x:0:root bin:x:1:root,bin,daemon daemon:x:2:root,bin,daemon mail:x:12:mail news:x:13:news uucp:x:14:uucp users:x:100:kathy popusers:x:45:kathy slipusers:x:4 6:

kathy:x:501:

In an example later in this chapter (refer to "Tools to Create User Accounts"), we create the user account kathy, and allow the system to create a default GID for kathy. By default, Red Hat creates a new group for the user using the username as the group name and using the first available number above 500 as the GID. That's where the kathy entry at the end of this file came from. Additionally, we edited the /etc/group file to grant kathy membership in the users and the popusers groups. That's why kathy appears in the user list of both of those entries. Note that kathy is not in the user list of the group kathy. That is because it is her primary group, which is assigned in the /etc/passwd file. Therefore, her primary group is kathy, and her supplemental groups are users and popusers. She is granted the group privileges of all three of these groups.

You can create a new group or modify an existing group by directly editing the /etc/groups file. Alternatively, you can create a group by using the tools provided by your Linux distribution. Use the groupadd command for this purpose. For example, to create a group for the sales department with a group name of sales and a GID of 890, enter groupadd -g 890 sales. To add a new group, simply select an unused group name, and an available GID number, and enter them into the /etc/ group file using the groupadd command.

The name or numeric GID of an existing group can be changed with the groupmod command. For example, to change the GID assigned to the sales group created above from 890 to 980, enter groupmod -g 980 sales. To change the group name from sales to marketing, enter groupmod -n marketing sales. An existing group can be deleted with the groupdel command. For example, to delete the marketing group, enter groupdel marketing.

Regardless of how you create or edit a group, the effect is the same. The updated group is listed in the /etc/group file. In the same manner that there are tools to create or modify a group, there are tools available for creating a user account.

Was this article helpful?

0 0

Post a comment