users-groups.html

FreeBSD操作系统的详细使用手册

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>Groups</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD Handbook" href="index.html" />
<link rel="UP" title="Users and Basic Account Management" href="users.html" />
<link rel="PREVIOUS" title="Personalizing Users" href="users-personalizing.html" />
<link rel="NEXT" title="Security" href="security.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD Handbook</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="users-personalizing.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 13 Users and Basic Account
Management</td>
<td width="10%" align="right" valign="bottom"><a href="security.html"
accesskey="N">Next</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="USERS-GROUPS" name="USERS-GROUPS">13.9 Groups</a></h1>

<p>A group is simply a list of users. Groups are identified by their group name and GID
(Group ID). In FreeBSD (and most other <span class="TRADEMARK">UNIX</span>&reg; like
systems), the two factors the kernel uses to decide whether a process is allowed to do
something is its user ID and list of groups it belongs to. Unlike a user ID, a process
has a list of groups associated with it. You may hear some things refer to the ``group
ID'' of a user or process; most of the time, this just means the first group in the
list.</p>

<p>The group name to group ID map is in <tt class="FILENAME">/etc/group</tt>. This is a
plain text file with four colon-delimited fields. The first field is the group name, the
second is the encrypted password, the third the group ID, and the fourth the
comma-delimited list of members. It can safely be edited by hand (assuming, of course,
that you do not make any syntax errors!). For a more complete description of the syntax,
see the <a href="http://www.FreeBSD.org/cgi/man.cgi?query=group&sektion=5"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">group</span>(5)</span></a> manual
page.</p>

<p>If you do not want to edit <tt class="FILENAME">/etc/group</tt> manually, you can use
the <a href="http://www.FreeBSD.org/cgi/man.cgi?query=pw&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">pw</span>(8)</span></a> command to add
and edit groups. For example, to add a group called <tt class="GROUPNAME">teamtwo</tt>
and then confirm that it exists you can use:</p>

<div class="EXAMPLE"><a id="AEN18583" name="AEN18583"></a>
<p><b>Example 13-8. Adding a Group Using <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">pw</span>(8)</span></b></p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">pw groupadd teamtwo</kbd>
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">pw groupshow teamtwo</kbd>
teamtwo:*:1100:
</pre>
</div>

<p>The number <var class="LITERAL">1100</var> above is the group ID of the group <tt
class="GROUPNAME">teamtwo</tt>. Right now, <tt class="GROUPNAME">teamtwo</tt> has no
members, and is thus rather useless. Let's change that by inviting <tt
class="USERNAME">jru</tt> to the <tt class="GROUPNAME">teamtwo</tt> group.</p>

<div class="EXAMPLE"><a id="AEN18599" name="AEN18599"></a>
<p><b>Example 13-9. Adding Somebody to a Group Using <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">pw</span>(8)</span></b></p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">pw groupmod teamtwo -M jru</kbd>
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">pw groupshow teamtwo</kbd>
teamtwo:*:1100:jru
</pre>
</div>

<p>The argument to the <var class="OPTION">-M</var> option is a comma-delimited list of
users who are members of the group. From the preceding sections, we know that the
password file also contains a group for each user. The latter (the user) is automatically
added to the group list by the system; the user will not show up as a member when using
the <var class="OPTION">groupshow</var> command to <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=pw&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">pw</span>(8)</span></a>, but will show
up when the information is queried via <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=id&sektion=1"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">id</span>(1)</span></a> or similar tool.
In other words, <a href="http://www.FreeBSD.org/cgi/man.cgi?query=pw&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">pw</span>(8)</span></a> only manipulates
the <tt class="FILENAME">/etc/group</tt> file; it will never attempt to read additionally
data from <tt class="FILENAME">/etc/passwd</tt>.</p>

<div class="EXAMPLE"><a id="AEN18623" name="AEN18623"></a>
<p><b>Example 13-10. Using <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">id</span>(1)</span> to Determine Group Membership</b></p>

<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">id jru</kbd>
uid=1001(jru) gid=1001(jru) groups=1001(jru), 1100(teamtwo)
</pre>
</div>

<p>As you can see, <tt class="USERNAME">jru</tt> is a member of the groups <tt
class="GROUPNAME">jru</tt> and <tt class="GROUPNAME">teamtwo</tt>.</p>

<p>For more information about <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=pw&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">pw</span>(8)</span></a>, see its manual
page, and for more information on the format of <tt class="FILENAME">/etc/group</tt>,
consult the <a href="http://www.FreeBSD.org/cgi/man.cgi?query=group&sektion=5"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">group</span>(5)</span></a> manual
page.</p>
</div>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="users-personalizing.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="security.html"
accesskey="N">Next</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">Personalizing Users</td>
<td width="34%" align="center" valign="top"><a href="users.html"
accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top">Security</td>
</tr>
</table>
</div>

<p align="center"><small>This, and other documents, can be downloaded from <a
href="ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/">ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/</a>.</small></p>

<p align="center"><small>For questions about FreeBSD, read the <a
href="http://www.FreeBSD.org/docs.html">documentation</a> before contacting &#60;<a
href="mailto:questions@FreeBSD.org">questions@FreeBSD.org</a>&#62;.<br />
For questions about this documentation, e-mail &#60;<a
href="mailto:doc@FreeBSD.org">doc@FreeBSD.org</a>&#62;.</small></p>
</body>
</html>