doc072.htm

Reh Hat user manual. really goooood

<html><body>
<a href="doc073.html"><img src=../icons/next.gif alt="Next"></a>
<a href="doc000.html"><img src=../icons/up.gif alt="Up"></a>
<a href="doc071.html"><img src=../icons/previous.gif alt="Previous"></a>
<a href="doc000.html"><img src=../icons/contents.gif alt="Contents"></a>
<a href="doc123.html"><img src=../icons/index.gif alt="Index"></a>
<hr>
<h2><a name="s10.3">10.3 Users, Groups and User-Private Groups</a></h2>
<title>Users, Groups and User-Private Groups</title>


<p>Managing users and groups has traditionally been tedious.  Red Hat Linux
has a few tools and conventions that make user and groups easier
to manage, and more useful.

<p>The easiest way to manage users and groups is through the Users and
Groups module of the control-panel (see section <a href="doc057.html#s8">8</a>
for details on the control-panel and section <a href="doc058.html#s8.1">8.1</a> for
details on the Users and Groups module).

<p>You can also use <tt>adduser</tt> to create a new user from the command line.

<p><h3><a name="s10.3.1">10.3.1 Standard Users</a></h3>
<title>Standard Users</title>


<p>Table <a href="doc072.html#f54">54</a> lists the standard users set up by the installation
process (this is essentially the <tt>/etc/passwd</tt> file).  The group id (GID) in this
table is the <i>primary group</i> for the user.  See section <a href="doc072.html#s10.3.3">10.3.3</a>
for details on how groups are used.

<p><p><a name="f54"></a>
<center>
<table border>
<tr valign=top>
<td colspan=1 align=left nowrap>
<b>User</b> </td>
<td colspan=1 align=left nowrap> <b>UID</b> </td>
<td colspan=1 align=left nowrap> <b>GID</b> </td>
<td colspan=1 align=left nowrap> <b>Home Directory</b> </td>
<td colspan=1 align=left nowrap> <b>Shell</b> </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap> 
root </td>
<td colspan=1 align=left nowrap> 0 </td>
<td colspan=1 align=left nowrap> 0 </td>
<td colspan=1 align=left nowrap> /root </td>
<td colspan=1 align=left nowrap> /bin/bash </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
bin </td>
<td colspan=1 align=left nowrap> 1 </td>
<td colspan=1 align=left nowrap> 1 </td>
<td colspan=1 align=left nowrap> /bin </td>
<td colspan=1 align=left nowrap>  </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
daemon </td>
<td colspan=1 align=left nowrap> 2 </td>
<td colspan=1 align=left nowrap> 2 </td>
<td colspan=1 align=left nowrap>  /sbin </td>
<td colspan=1 align=left nowrap>  </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
adm </td>
<td colspan=1 align=left nowrap> 3 </td>
<td colspan=1 align=left nowrap> 4 </td>
<td colspan=1 align=left nowrap>  /var/adm </td>
<td colspan=1 align=left nowrap>  </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
lp </td>
<td colspan=1 align=left nowrap> 4 </td>
<td colspan=1 align=left nowrap> 7 </td>
<td colspan=1 align=left nowrap>  /var/spool/lpd </td>
<td colspan=1 align=left nowrap>  </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
sync </td>
<td colspan=1 align=left nowrap> 5 </td>
<td colspan=1 align=left nowrap> 0 </td>
<td colspan=1 align=left nowrap>  /sbin </td>
<td colspan=1 align=left nowrap> /bin/sync </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
shutdown </td>
<td colspan=1 align=left nowrap> 6 </td>
<td colspan=1 align=left nowrap> 0 </td>
<td colspan=1 align=left nowrap>  /sbin </td>
<td colspan=1 align=left nowrap> /sbin/shutdown </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
halt </td>
<td colspan=1 align=left nowrap> 7 </td>
<td colspan=1 align=left nowrap> 0  </td>
<td colspan=1 align=left nowrap> /sbin </td>
<td colspan=1 align=left nowrap> /sbin/halt </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
mail </td>
<td colspan=1 align=left nowrap> 8 </td>
<td colspan=1 align=left nowrap> 12 </td>
<td colspan=1 align=left nowrap>  /var/spool/mail </td>
<td colspan=1 align=left nowrap>  </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
news </td>
<td colspan=1 align=left nowrap> 9 </td>
<td colspan=1 align=left nowrap> 13 </td>
<td colspan=1 align=left nowrap> /var/spool/news </td>
<td colspan=1 align=left nowrap>  </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
uucp </td>
<td colspan=1 align=left nowrap> 10 </td>
<td colspan=1 align=left nowrap> 14 </td>
<td colspan=1 align=left nowrap>  /var/spool/uucp </td>
<td colspan=1 align=left nowrap>  </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
operator </td>
<td colspan=1 align=left nowrap> 11 </td>
<td colspan=1 align=left nowrap> 0 </td>
<td colspan=1 align=left nowrap>  /root </td>
<td colspan=1 align=left nowrap> /bin/bash </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
games </td>
<td colspan=1 align=left nowrap> 12 </td>
<td colspan=1 align=left nowrap> 100 </td>
<td colspan=1 align=left nowrap>  /usr/local/games </td>
<td colspan=1 align=left nowrap> </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
gopher </td>
<td colspan=1 align=left nowrap> 13 </td>
<td colspan=1 align=left nowrap> 30 </td>
<td colspan=1 align=left nowrap>  /usr/lib/gopher-data </td>
<td colspan=1 align=left nowrap> </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
ftp </td>
<td colspan=1 align=left nowrap> 14 </td>
<td colspan=1 align=left nowrap> 50 </td>
<td colspan=1 align=left nowrap>  /usr/rhs/ftp </td>
<td colspan=1 align=left nowrap> </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
nobody </td>
<td colspan=1 align=left nowrap> 99 </td>
<td colspan=1 align=left nowrap> 99 </td>
<td colspan=1 align=left nowrap>  /root </td>
<td colspan=1 align=left nowrap> 
</td></tr>
</table>
<p><center>Figure 54:Standard Users</center>
</center>

<p>

<p><h3><a name="s10.3.2">10.3.2 Standard Groups</a></h3>
<title>Standard Groups</title>


<p>Table <a href="doc072.html#f55">55</a> lists the standard groups as set up
by the installation process (this is essentially the <tt>/etc/group</tt> file).

<p><p><a name="f55"></a>
<center>
<table border>
<tr valign=top>
<td colspan=1 align=left nowrap>
<b>Group</b> </td>
<td colspan=1 align=left nowrap> <b>GID</b> </td>
<td colspan=1 align=left nowrap> <b>Members</b> </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap> 
root </td>
<td colspan=1 align=left nowrap> 0 </td>
<td colspan=1 align=left nowrap> root </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
bin </td>
<td colspan=1 align=left nowrap> 1 </td>
<td colspan=1 align=left nowrap> root,bin,daemon </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
daemon </td>
<td colspan=1 align=left nowrap> 2 </td>
<td colspan=1 align=left nowrap> root,bin,daemon </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
sys </td>
<td colspan=1 align=left nowrap> 3 </td>
<td colspan=1 align=left nowrap> root,bin,adm </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
adm </td>
<td colspan=1 align=left nowrap> 4 </td>
<td colspan=1 align=left nowrap> root,adm,daemon </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
tty </td>
<td colspan=1 align=left nowrap> 5 </td>
<td colspan=1 align=left nowrap>  </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
disk </td>
<td colspan=1 align=left nowrap> 6 </td>
<td colspan=1 align=left nowrap> root </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
lp </td>
<td colspan=1 align=left nowrap> 7 </td>
<td colspan=1 align=left nowrap> daemon,lp </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
mem </td>
<td colspan=1 align=left nowrap> 8 </td>
<td colspan=1 align=left nowrap>  </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
kmem </td>
<td colspan=1 align=left nowrap> 9 </td>
<td colspan=1 align=left nowrap>  </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
wheel </td>
<td colspan=1 align=left nowrap> 10 </td>
<td colspan=1 align=left nowrap> root </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
mail </td>
<td colspan=1 align=left nowrap> 12 </td>
<td colspan=1 align=left nowrap> mail </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
news </td>
<td colspan=1 align=left nowrap> 13 </td>
<td colspan=1 align=left nowrap> news </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
uucp </td>
<td colspan=1 align=left nowrap> 14 </td>
<td colspan=1 align=left nowrap> uucp </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
man </td>
<td colspan=1 align=left nowrap> 15 </td>
<td colspan=1 align=left nowrap>  </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
games </td>
<td colspan=1 align=left nowrap> 20 </td>
<td colspan=1 align=left nowrap>  </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
gopher </td>
<td colspan=1 align=left nowrap> 30 </td>
<td colspan=1 align=left nowrap> </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
dip </td>
<td colspan=1 align=left nowrap> 40 </td>
<td colspan=1 align=left nowrap>  </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
ftp </td>
<td colspan=1 align=left nowrap> 50 </td>
<td colspan=1 align=left nowrap> ftp </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
nobody </td>
<td colspan=1 align=left nowrap> 99 </td>
<td colspan=1 align=left nowrap>  </td></tr>
<tr valign=top>
<td colspan=1 align=left nowrap>
users </td>
<td colspan=1 align=left nowrap> 100 </td>
<td colspan=1 align=left nowrap>
</td></tr>
</table>
<p><center>Figure 55:Standard Groups</center>
</center>

<p>

<p><h3><a name="s10.3.3">10.3.3 User Private Groups</a></h3>
<title>User Private Groups</title>



<p>Red Hat Linux uses a user private group (UPG) scheme, which makes UNIX
groups much easier to use.
The UPG scheme does not add or change anything in the standard
UNIX way of handling groups.  It simply offers a new
convention for handling groups.  Whenever you create a new
user, by default, he or she has a unique group.  The scheme
works as follows:

<p><dl>
<dt><b>User Private Group</b><dd>
Each user has it's own primary group, to which only it is a member.
<dt><b>umask = 002</b><dd>
The traditional UNIX umask is 022, which prevents other users <i>and
other members of a user's primary group</i> from modifying a user's
files.  Since every user has their own private group in the UPG scheme,
this ``group protection'' is not needed.  A umask of 002 will prevent
users from modifying other users' private files.  The umask is set
in <tt>/etc/profile</tt>.
<dt><b>SGID bit on Directories</b><dd>
If you set the SGID bit on a directory
(with <tt>chmod g+s</tt> <i>directory</i>),
files created in that directory will have their group set to the
directory's group.
</dl>

<p>Most computing sites like to create a group for each major
project and assign people to the groups they need to be in.
Managing files traditionally has been difficult, though,
because when someone creates a file it is owned by the primary
group he or she belongs to.  When a single person works on
multiple projects, it becomes hard to make the files owned by
the group that is associated with that project.  In the UPG scheme,
groups are automatically assigned to files 
on a project-by-project basis, which makes managing group projects 
very simple.

<p>Let's say you have a big project called <em>devel</em>, with many people 
editing the devel files in a <tt>devel</tt> directory.
Make a group called <tt>devel</tt>, <tt>chgrp</tt> the <tt>devel</tt> directory to
<tt>devel</tt>, and add the all the devel users 
to the <tt>devel</tt> group.  Now, all the devel users will be able to edit
the devel files and create new files in the <tt>devel</tt> directory, and these
files will always retain their <tt>devel</tt> group.  Thus, they will
always be edit-able by other devel users.

<p>If you have multiple projects like <em>devel</em>, and users who are working
on multiple projects, these users will never have to change their
umask or group when they move from project to project.  The SGID
bit on each project's main directory ``selects'' the proper group.

<p>Since each user's HOME directory is owned by the user and their private
group, it is safe to set the SGID bit on the HOME directory.  However,
by default, files are created with the primary group of the user, so
the SGID bit would be redundant.

<p><h4><a name="s10.3.3.1">10.3.3.1 User Private Group Rationale</a></h4>
<title>User Private Group Rationale</title>


<p>Since the UPG scheme is new, many people have questions about it,
and they wonder why it is necessary.  The following is the rationale for
the scheme.

<p><ul>
<li>You'd like to have a group of people work on a set of files
in say, the <tt>/usr/lib/emacs/site-lisp</tt> directory.  You trust a
few people to mess around in there, but certainly not everyone.
<li>So you enter:
<blockquote><font size=-1><tt>
<pre>
chown -R root.emacs /usr/lib/emacs/site-lisp
</pre>
</tt></font></blockquote>
and you add the proper users to the group.
<li>To allow the users to actually create files in the directory
you enter:
<blockquote><font size=-1><tt>
<pre>
chmod 775 /usr/lib/emacs/site-lisp
</pre>
</tt></font></blockquote>
<li>But when a user creates a new file it is assigned the
group of the users default group (usually <tt>users</tt>).
To prevent this you enter
<blockquote><font size=-1><tt>
<pre>
chmod 2775 /usr/lib/emacs/site-lisp
</pre>
</tt></font></blockquote>
which causes everything in the directory to be created with
the ``emacs'' group.
<li>But the new file needs to be mode 664 for another
user in the emacs group to be able to edit it.  To do this you make
the default umask 002.
<li>Well, this all works fine, except that if your default group
is ``users'', every file you create in your home directory will
be writable by everybody in ``users'' (usually everyone).
<li>To fix this, you make each user have a ``private group'' as their
default group.
</ul>

<p>At this point, by making the default umask 002 and giving everyone
a private default group, you can easily set up groups that users
can take advantage of without doing any magic.  Just create the
group, add the users, and do the above chown and chmod on the
group's directories.

<p><p><hr>
<a href="doc073.html"><img src=../icons/next.gif alt="Next"></a>
<a href="doc000.html"><img src=../icons/up.gif alt="Up"></a>
<a href="doc071.html"><img src=../icons/previous.gif alt="Previous"></a>
<a href="doc000.html"><img src=../icons/contents.gif alt="Contents"></a>
<a href="doc123.html"><img src=../icons/index.gif alt="Index"></a>
<hr>
</body></html>