ch41.htm

linux-unix130.linux.and.unix.ebooks130 linux and unix ebookslinuxLearning Linux - Collection of 12 E

an accounting department, all members of which need access to the company's accounts.

However, you wouldn't want non-accounting people to go snooping through financial

statements, so creating a special group that has access to the accounting system

makes sense.</P>

<P>Many small Linux systems have only one group, the default group, because that

is the simplest way to manage a system. Then, each user's access to devices and files

is controlled by the devices' or files' permissions, not the group. When you start

to get several different users in logical groupings, though, groups start to make

more sense. You can even use groups to control your friends' or children's access

to areas on your home Linux system.</P>

<P>Group information is maintained in the file <TT>/etc/group</TT>, which is similar

in layout to the <TT>/etc/passwd</TT> file. The default <TT>/etc/group</TT> file

from a newly installed Linux system is shown in Listing 41.2.

<CENTER>

<H3><A NAME="Heading21<FONT COLOR="#000077">Listing <A NAME="Heading2241.2.

The default /etc/group file.</FONT><FONT COLOR="#0066FF"></FONT></H3>

</CENTER>

<PRE><FONT COLOR="#0066FF">root::0:root

bin::1:root,bin,daemon

daemon::2:root,bin,daemon

sys::3:root,bin,adm

adm::4:root,adm,daemon

tty::5:

disk::6:root,adm

lp::7:lp

mem::8:

kmem::9:

wheel::10:root

floppy::11:root

mail::12:mail

news::13:news

uucp::14:uucp

man::15:man

users::100:games

nogroup::-1:

</FONT></PRE>

<P>Each line in the file has four fields separated by colons. Two colons together

mean that the field is empty and has no value specified. Each line in the file follows

this format:<FONT COLOR="#0066FF"></FONT>

<PRE><FONT COLOR="#0066FF">group name:group password:group ID:users

</FONT></PRE>

<P>Each group has a line of its own in the file. The fields in the <TT>/etc/group</TT>

file (from left to right) are listed here:



<UL>

	<LI>group name--A unique name usually of eight characters or less (usually standard

	alphanumeric characters only).

	<P>

	<LI>password--Usually left as an asterisk or blank, but a password can be assigned

	that a user must enter to join the group. Not all versions of Linux or UNIX use this

	field, and it is left in the file for backward compatibility reasons.

	<P>

	<LI>group ID (GID)--A unique number for each group, used by the operating system.

	<P>

	<LI><TT>users</TT>--A list of all user IDs that belong to that group.

</UL>



<P>Every Linux system has a number of default groups which belong to the operating

system, usually called <TT>bin</TT>, <TT>mail</TT>, <TT>uucp</TT>, <TT>sys</TT>,

and so on. You can see the system-dependent groups in the default <TT>/etc/group</TT>

file as shown in Listing 41.2. In that file, all but the last two entries are system

groups. You should never allow users to belong to one of these groups because it

gives them access permissions that can be the same as root's. Only system logins

should have access to these operating system groups.

<CENTER>

<H4><A NAME="Heading23<FONT COLOR="#000077">Default System Groups</FONT></H4>

</CENTER>

<P>You may have noticed in the startup <TT>/etc/group</TT> file shown in Listing

41.2 that several groups are defined. These groups are used to set file permissions

and access rights for many utilities. It's worth taking a quick look at some of the

most important groups and their functions: 

<TABLE BORDER="0">

	<TR ALIGN="LEFT" rowspan="1">

		<TD ALIGN="LEFT" VALIGN="TOP"><TT>root/wheel/system</TT> </TD>

		<TD ALIGN="LEFT" VALIGN="TOP">Usually used to enable a user to employ the <TT>su</TT> command to gain root access,

			it owns most system files. </TD>

	</TR>

	<TR ALIGN="LEFT" rowspan="1">

		<TD ALIGN="LEFT" VALIGN="TOP"><TT>daemon</TT> </TD>

		<TD ALIGN="LEFT" VALIGN="TOP">Used to own spooling directories (mail, printer, and so on). </TD>

	</TR>

	<TR ALIGN="LEFT" rowspan="1">

		<TD ALIGN="LEFT" VALIGN="TOP"><TT>kmem</TT> </TD>

		<TD ALIGN="LEFT" VALIGN="TOP">Used for programs that need to access kernel memory directly (including <TT>ps</TT>).

					</TD>

	</TR>

	<TR ALIGN="LEFT" rowspan="1">

		<TD ALIGN="LEFT" VALIGN="TOP"><TT>sys</TT> </TD>

		<TD ALIGN="LEFT" VALIGN="TOP">Owns some system files; on some systems this group behaves the same as <TT>kmem</TT>.

					</TD>

	</TR>

	<TR ALIGN="LEFT" rowspan="1">

		<TD ALIGN="LEFT" VALIGN="TOP"><TT>tty<BR>

			</TT></TD>

		<TD ALIGN="LEFT" VALIGN="TOP">Owns all special files dealing with terminals.<BR>

					</TD>

	</TR>

</TABLE>

The default group for the Slackware Linux version <TT>/etc/group</TT> file, shown

previously, is called <TT>users</TT>, and has a GID of <TT>100</TT>. (Many UNIX systems

have the default group called <TT>group</TT> with a group ID of <TT>50</TT> which

is the convention.)

<CENTER>

<H4><A NAME="Heading24<FONT COLOR="#000077">Adding a Group</FONT></H4>

</CENTER>

<P>You can edit the information in the <TT>/etc/group</TT> file manually, using any

ASCII editor, or you can use a shell utility such as <TT>addgroup</TT> or <TT>groupadd</TT>

which go through the process for you. As a system administrator, you may find it

easier to do the changes manually because you can see the entire group file at the

time you are editing it. Not all versions of Linux have an <TT>addgroup</TT> or <TT>groupadd</TT>

utility.</P>

<P>To manually add a group to the <TT>/etc/group</TT> file, first make a backup copy

of the file. Use any ASCII editor and add one line to the file for each new group

you want to create. Make sure you follow the syntax of the file carefully because

incorrect entries prevent users from belonging to that group. In the following lines,

two new groups have been created:<FONT COLOR="#0066FF"></FONT>

<PRE><FONT COLOR="#0066FF">accounts::101:bill

scanner::102:yvonne

</FONT></PRE>

<P>The two groups have GIDs of <TT>101</TT> and <TT>102</TT>, and like user IDs,

the GIDs should be assigned sequentially for convenience. The users that are in the

group are appended. In these cases, only one user is in each group. You'll see how

to assign multiple users to a group in the next section. The groups do not have to

be in order of the GID or group name, although for convenience you usually have the

file ordered by GID. You could add new lines anywhere in the file.</P>

<P>The <TT>/etc/group</TT> file should be checked for file permissions and ownership

after you have made changes to it. The file should be owned by root and have a group

owner of root (or <TT>system</TT>, depending on the group with GID <TT>0</TT>). The

file permissions should prevent anyone but root from writing the file.

<CENTER>

<H4><A NAME="Heading25<FONT COLOR="#000077">Adding a User to New Groups</FONT></H4>

</CENTER>

<P>Users can belong to many groups, in which case their user IDs should be on each

group line that they belong to in the file <TT>/etc/group</TT>. Each user name on

a line in the <TT>/etc/group</TT> file is separated by a comma. There is no limit

to the number of users that can belong to a group, in theory, but in practice, the

line length of the Linux system (255 characters) acts as an effective limiter. There

are ways around this limit, but few systems will require it.</P>

<P>The following excerpt from a <TT>/etc/group</TT> file shows several groups with

multiple members:<FONT COLOR="#0066FF"></FONT>

<PRE><FONT COLOR="#0066FF">accounts::52:bill,yvonne,tim,roy,root

prgming::53:bill,tim,walter,gita,phyliss,john,root

cad::54:john,doreen,root

scanner::55:john,root,tim

</FONT></PRE>

<P>The user names on each line do not have to be in any particular order. Linux searches

along each line to find the user names it wants.</P>

<P>A user can be a member of only one group at a time while logged in, so he must

use the command <TT>newgrp</TT> to change between groups he is a member of. The starting

group a user belongs to when he logs in is given by the GID field in the <TT>/etc/passwd</TT>

file.

<CENTER>

<H4><A NAME="Heading26<FONT COLOR="#000077">Deleting a Group</FONT></H4>

</CENTER>

<P>If you decide you don't want a particular group to exist anymore, you can simply

remove the group name from the <TT>/etc/group</TT> file. You should also check the

<TT>/etc/passwd</TT> file to see if any users have that group ID as their startup

GID, and change it to another group of which they are members. If you don't change

the GIDs, those users will not be able to log in because they have no valid group

membership. You should also scan the entire file system for files and directories

that are owned by that group and change them to another group. Failure to make this

change may prevent access to the file or directory.</P>

<P>Some Linux versions have shell scripts that remove group lines from the <TT>/etc/group</TT>

file for you. The utility is generally called <TT>delgroup</TT> or <TT>groupdel</TT>.

However, most versions of Linux don't bother with this utility.

<CENTER>

<H3><A NAME="Heading27<FONT COLOR="#000077">The su Command</FONT></H3>

</CENTER>

<P>Sometimes you want to execute a command as another user. If you are logged in

as superuser and want to create files with <TT>bill</TT>'s permissions and ownership

set, it is easier to log in as <TT>bill</TT> than work as root and then reset all

the parameters. Similarly, if you are logged in as a user and need to be superuser

for a little while, you would have to log out and back in to make the change. An

alternative is the <TT>su</TT> command.</P>

<P>The <TT>su</TT> command changes your effective user name and grants you the permissions

that user name has. The <TT>su</TT> command takes the user name you want to change

to as an argument. For example, if you are logged in as a typical user and want to

be root, you can issue the command

<PRE><FONT COLOR="#0066FF">su root

</FONT></PRE>

<P>and the Linux system prompts you for the root password. If you supply it correctly,

you will be root until you issue a Ctrl-D to log out of that account and back to

where you started. Similarly, if you are logged in as root and want to be a user,

you can issue the command with the user name, such as this:<FONT COLOR="#0066FF"></FONT>

<PRE><FONT COLOR="#0066FF">su tparker

</FONT></PRE>

<P>You won't be prompted for a password when changing from root to another user because

you have superuser powers. When you Ctrl-D out of the login, you are back as root.

If you are logged in as a normal user and want to switch to another non-root login,

you have to supply the password, though.

<CENTER>

<H3><A NAME="Heading28<FONT COLOR="#000077">Summary</FONT></H3>

</CENTER>

<P>In this chapter we've looked at the basics of the <TT>/etc/passwd</TT> and <TT>/etc/group</TT>

files, the two files intimately connected with user access to Linux. As you have

seen, these are simple files and can easily be modified by a system administrator

to add users and groups at any time. Always bear in mind that these are vital files,

and they should be copied to a backup filename, then edited carefully and their permissions

checked after each edit.









</td>
</tr>
</table>
<!-- begin footer information -->


</body></html>