ch22_13.htm

the unix power tools

<HTML
><!--Distributed by F --><HEAD
><TITLE
>[Chapter 22] 22.13 Groups and Group Ownership </TITLE
><META
NAME="DC.title"
CONTENT="UNIX Power Tools"><META
NAME="DC.creator"
CONTENT="Jerry Peek, Tim O'Reilly &amp; Mike Loukides"><META
NAME="DC.publisher"
CONTENT="O'Reilly &amp; Associates, Inc."><META
NAME="DC.date"
CONTENT="1998-08-04T21:40:34Z"><META
NAME="DC.type"
CONTENT="Text.Monograph"><META
NAME="DC.format"
CONTENT="text/html"
SCHEME="MIME"><META
NAME="DC.source"
CONTENT="1-56592-260-3"
SCHEME="ISBN"><META
NAME="DC.language"
CONTENT="en-US"><META
NAME="generator"
CONTENT="Jade 1.1/O'Reilly DocBook 3.0 to HTML 4.0"><LINK
REV="made"
HREF="mailto:online-books@oreilly.com"
TITLE="Online Books Comments"><LINK
REL="up"
HREF="ch22_01.htm"
TITLE="22. File Security, Ownership, and Sharing"><LINK
REL="prev"
HREF="ch22_12.htm"
TITLE="22.12 A Directory that People Can Access but Can't List "><LINK
REL="next"
HREF="ch22_14.htm"
TITLE="22.14 Add Users to a Group to Deny Permission "></HEAD
><BODY
BGCOLOR="#FFFFFF"
TEXT="#000000"
><DIV
CLASS="htmlnav"
><H1
><IMG
SRC="gifs/smbanner.gif"
ALT="UNIX Power Tools"
USEMAP="#srchmap"
BORDER="0"></H1
><MAP
NAME="srchmap"
><AREA
SHAPE="RECT"
COORDS="0,0,466,58"
HREF="index.htm"
ALT="UNIX Power Tools"><AREA
SHAPE="RECT"
COORDS="467,0,514,18"
HREF="jobjects/fsearch.htm"
ALT="Search this book"></MAP
><TABLE
WIDTH="515"
BORDER="0"
CELLSPACING="0"
CELLPADDING="0"
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="172"
><A
CLASS="SECT1"
HREF="ch22_12.htm"
TITLE="22.12 A Directory that People Can Access but Can't List "
><IMG
SRC="gifs/txtpreva.gif"
SRC="gifs/txtpreva.gif"
ALT="Previous: 22.12 A Directory that People Can Access but Can't List "
BORDER="0"></A
></TD
><TD
ALIGN="CENTER"
VALIGN="TOP"
WIDTH="171"
><B
><FONT
FACE="ARIEL,HELVETICA,HELV,SANSERIF"
SIZE="-1"
>Chapter 22<BR>File Security, Ownership, and Sharing</FONT
></B
></TD
><TD
ALIGN="RIGHT"
VALIGN="TOP"
WIDTH="172"
><A
CLASS="SECT1"
HREF="ch22_14.htm"
TITLE="22.14 Add Users to a Group to Deny Permission "
><IMG
SRC="gifs/txtnexta.gif"
SRC="gifs/txtnexta.gif"
ALT="Next: 22.14 Add Users to a Group to Deny Permission "
BORDER="0"></A
></TD
></TR
></TABLE
>&nbsp;<HR
ALIGN="LEFT"
WIDTH="515"
TITLE="footer"></DIV
><DIV
CLASS="SECT1"
><H2
CLASS="sect1"
><A
CLASS="title"
NAME="UPT-ART-3030"
>22.13 Groups and Group Ownership </A
></H2
><P
CLASS="para"
><A
CLASS="indexterm"
NAME="AUTOID-24479"
></A
><A
CLASS="indexterm"
NAME="AUTOID-24481"
></A
>Group membership is an important part of UNIX security. All users are
members of one or more groups, as determined by your entry in
<SPAN
CLASS="link"
><EM
CLASS="emphasis"
>/etc/passwd</EM
> (<A
CLASS="linkend"
HREF="ch36_03.htm"
TITLE="Changing the Field Delimiter "
>36.3</A
>)</SPAN
>
and the <EM
CLASS="emphasis"
>/etc/group</EM
> file.</P
><P
CLASS="para"
>To find out what groups you belong to, &quot;
<SPAN
CLASS="link"
><EM
CLASS="emphasis"
>grep</EM
> (<A
CLASS="linkend"
HREF="ch27_01.htm#UPT-ART-7420"
TITLE="Different Versions of grep "
>27.1</A
>)</SPAN
>
for&quot; your entry in
<EM
CLASS="emphasis"
>/etc/passwd</EM
>:</P
><P
CLASS="para"
><BLOCKQUOTE
CLASS="screen"
><PRE
CLASS="screen"
>% <CODE
CLASS="userinput"
><B
>grep mikel /etc/passwd</B
></CODE
>
mikel:sflghjraloweor:50:100:Mike Loukides:/home/mikel:/bin/csh</PRE
></BLOCKQUOTE
></P
><P
CLASS="para"
>[If that didn't work, try a command like <CODE
CLASS="literal"
>ypcat passwd | grep
mike1</CODE
>. -<EM
CLASS="emphasis"
>JP</EM
>&nbsp;] The fourth field (the second number) is your <EM
CLASS="emphasis"
>primary
group ID</EM
>. Look up this number in the <EM
CLASS="emphasis"
>/etc/group</EM
> file:</P
><P
CLASS="para"
><BLOCKQUOTE
CLASS="screen"
><PRE
CLASS="screen"
>% <CODE
CLASS="userinput"
><B
>grep 100 /etc/group</B
></CODE
>
staff:*:100:root</PRE
></BLOCKQUOTE
></P
><P
CLASS="para"
>Or use <CODE
CLASS="literal"
>ypcat group | grep 100</CODE
>. -<EM
CLASS="emphasis"
>JP</EM
>&nbsp;] My primary group is <EM
CLASS="emphasis"
>staff</EM
>. Therefore, when I log in, my group ID is
set to 100.<A
CLASS="indexterm"
NAME="AUTOID-24507"
></A
>
To see what other groups you belong to, use the <EM
CLASS="emphasis"
>groups</EM
> command
if your UNIX version has it.
Otherwise, look for your name
in <EM
CLASS="emphasis"
>/etc/group</EM
>:</P
><P
CLASS="para"
><BLOCKQUOTE
CLASS="screen"
><PRE
CLASS="screen"
>% <CODE
CLASS="userinput"
><B
>grep mikel /etc/group</B
></CODE
>
power:*:55:mikel,jerry,tim
weakness:*:60:mikel,harry,susan</PRE
></BLOCKQUOTE
></P
><P
CLASS="para"
>[Or <CODE
CLASS="literal"
>ypcat group | grep mike1</CODE
>. -<EM
CLASS="emphasis"
>JP</EM
>&nbsp;] I'm also a member of the groups <EM
CLASS="emphasis"
>power</EM
> and <EM
CLASS="emphasis"
>weakness</EM
>, with group
IDs 55 and 60.</P
><P
CLASS="para"
>With BSD UNIX, you're always a member of all your groups. This
means that I can access files that are owned by the <EM
CLASS="emphasis"
>staff</EM
>, <EM
CLASS="emphasis"
>power</EM
>, and
<EM
CLASS="emphasis"
>weakness</EM
> groups, without doing anything in particular. Under System V
UNIX, you can only be &quot;in&quot; one group at a time, even though you can be
a member of several. (I suppose this is like social clubs; you can
belong to the Elks and the Odd Fellows, but you can only wear one
silly hat at a time.) If you need to access files that are owned by
another group, use the <EM
CLASS="emphasis"
>newgrp</EM
> command:<A
CLASS="indexterm"
NAME="AUTOID-24524"
></A
><A
CLASS="indexterm"
NAME="AUTOID-24526"
></A
></P
><P
CLASS="para"
><BLOCKQUOTE
CLASS="screen"
><PRE
CLASS="screen"
>% <CODE
CLASS="userinput"
><B
>newgrp </B
></CODE
><CODE
CLASS="replaceable"
><I
>groupname</I
></CODE
></PRE
></BLOCKQUOTE
></P
><P
CLASS="para"
>(System V even lets you change to groups that you don't belong to. In
this case, you have to give a <EM
CLASS="emphasis"
>group password</EM
>. Group passwords are
rarely used&nbsp;- usually, the password field is filled with a <CODE
CLASS="literal"
>*</CODE
>, which
effectively says that there are no valid passwords for this group.)</P
><P
CLASS="para"
>On most systems, there are groups for major projects or departments,
groups for system administration, and maybe one or two groups for
visitors. Some BSD-based systems have a <EM
CLASS="emphasis"
>wheel</EM
> group; to become
<SPAN
CLASS="link"
>root (<A
CLASS="linkend"
HREF="ch01_24.htm"
TITLE="The Superuser (Root) "
>1.24</A
>)</SPAN
>,
you must belong to <EM
CLASS="emphasis"
>wheel</EM
>.
Many systems make terminals writable only by the owner and a special
group named <EM
CLASS="emphasis"
>tty</EM
>; this prevents other users from sending
characters to your terminal without using an approved
<SPAN
CLASS="link"
><EM
CLASS="emphasis"
>setgid</EM
> (<A
CLASS="linkend"
HREF="ch01_23.htm"
TITLE="File Access Permissions "
>1.23</A
>)</SPAN
>
program like
<SPAN
CLASS="link"
><EM
CLASS="emphasis"
>write</EM
> (<A
CLASS="linkend"
HREF="ch01_33.htm"
TITLE="UNIX Networking and Communications "
>1.33</A
>)</SPAN
>.</P
><DIV
CLASS="sect1info"
><P
CLASS="SECT1INFO"
>- <SPAN
CLASS="authorinitials"
>ML</SPAN
></P
></DIV
></DIV
><DIV
CLASS="htmlnav"
><P
></P
><HR
ALIGN="LEFT"
WIDTH="515"
TITLE="footer"><TABLE
WIDTH="515"
BORDER="0"
CELLSPACING="0"
CELLPADDING="0"
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="172"
><A
CLASS="SECT1"
HREF="ch22_12.htm"
TITLE="22.12 A Directory that People Can Access but Can't List "
><IMG
SRC="gifs/txtpreva.gif"
SRC="gifs/txtpreva.gif"
ALT="Previous: 22.12 A Directory that People Can Access but Can't List "
BORDER="0"></A
></TD
><TD
ALIGN="CENTER"
VALIGN="TOP"
WIDTH="171"
><A
CLASS="book"
HREF="index.htm"
TITLE="UNIX Power Tools"
><IMG
SRC="gifs/txthome.gif"
SRC="gifs/txthome.gif"
ALT="UNIX Power Tools"
BORDER="0"></A
></TD
><TD
ALIGN="RIGHT"
VALIGN="TOP"
WIDTH="172"
><A
CLASS="SECT1"
HREF="ch22_14.htm"
TITLE="22.14 Add Users to a Group to Deny Permission "
><IMG
SRC="gifs/txtnexta.gif"
SRC="gifs/txtnexta.gif"
ALT="Next: 22.14 Add Users to a Group to Deny Permission "
BORDER="0"></A
></TD
></TR
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="172"
>22.12 A Directory that People Can Access but Can't List </TD
><TD
ALIGN="CENTER"
VALIGN="TOP"
WIDTH="171"
><A
CLASS="index"
HREF="index/idx_0.htm"
TITLE="Book Index"
><IMG
SRC="gifs/index.gif"
SRC="gifs/index.gif"
ALT="Book Index"
BORDER="0"></A
></TD
><TD
ALIGN="RIGHT"
VALIGN="TOP"
WIDTH="172"
>22.14 Add Users to a Group to Deny Permission </TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="515"
TITLE="footer"><IMG
SRC="gifs/smnavbar.gif"
SRC="gifs/smnavbar.gif"
USEMAP="#map"
BORDER="0"
ALT="The UNIX CD Bookshelf Navigation"><MAP
NAME="map"
><AREA
SHAPE="RECT"
COORDS="0,0,73,21"
HREF="../index.htm"
ALT="The UNIX CD Bookshelf"><AREA
SHAPE="RECT"
COORDS="74,0,163,21"
HREF="index.htm"
ALT="UNIX Power Tools"><AREA
SHAPE="RECT"
COORDS="164,0,257,21"
HREF="../unixnut/index.htm"
ALT="UNIX in a Nutshell"><AREA
SHAPE="RECT"
COORDS="258,0,321,21"
HREF="../vi/index.htm"
ALT="Learning the vi Editor"><AREA
SHAPE="RECT"
COORDS="322,0,378,21"
HREF="../sedawk/index.htm"
ALT="sed &amp; awk"><AREA
SHAPE="RECT"
COORDS="379,0,438,21"
HREF="../ksh/index.htm"
ALT="Learning the Korn Shell"><AREA
SHAPE="RECT"
COORDS="439,0,514,21"
HREF="../lrnunix/index.htm"
ALT="Learning the UNIX Operating System"></MAP
></DIV
></BODY
></HTML
>