Linux/groups
In Linux and other Unix-based operating systems, a group is an entity to which a user may belong and which confers certain "privileges" or "rights" to its member users. They're the Linux system's implementation of the security groups software design concept.
How Groups Are Used
Groups play a significant role in system security. Ideally, a system administrator can define roles which the various users might play (e.g. scanner operator, webmaster, developer), create a group for each of those roles, and then assign the necessary rights (for performing those functions) to each group, rather than to each user. When managing users, it is then only necessary to assign a new user to the group(s) corresponding to that user's role(s); this reduces the amount of work necessary to properly implement security (thus encouraging proper security to be implemented) as well as reducing the chances of inadvertantly giving a user unneeded permissions and thereby creating a security risk.
Details
- Every file (including directories) has a set of permissions, an owner user and an owner group. Every file or directory's permission set is composed of twelve bits, but the meaning of the bits is slightly different for directories than for files.
- File permissions contain three groups of three bits each. The first set of three applies if and only if the current user is the same as the file's owner user; the second set applies only if the current user belongs to the file's owner group (except for the file's owner user), and the third set applies to everyone else. There are some additional specialized bits. Going from Most Significant Bit (MSB) to Least (LSB):
- Bit 11: "set user ID" -- set user ID on execution
- Bit 10: "set group ID" -- set group ID on execution
- Bit 09: "sticky" -- largely obsolete; used on early Unix systems. See chmod for more information.
- Bits 8-0: rwx (owner user), rwx (owner group), rwx (everyone else): r = can read file, w = can write file, x = can execute file
- Directory permissions are similar:
- Bit 11: "set user ID"
- Bit 10: "set group ID"
- Bit 09: "sticky" --
- 1 = files in that directory may be unlinked or renamed only by root or their owner.
- 0 = anyone able to write to the directory can delete or rename files.
- The sticky bit is commonly found on directories, such as /tmp, that are "world-writable" (rwxrwxrwx)
- Bits 8-0: same as for files, except "x" means "can enter (chdir into) directory"
Commands
Commands used for managing users, groups and file permissions include:
- Groups:
- groupadd -- create a new group
- groupdel -- delete an existing group
- groupmod -- modify a group
- groups -- list groups to which user currently belongs
- cat /etc/group -- list all groups
- To list all users in a group (there is apparently no dedicated command for this):
getent passwd | grep '^nixbld' | cut -d: -f1
- This ^ lists them one per row, which can be used as input for other commands (e.g. if you need to delete all users in a group)
getent group nixbld
- This ^ generates a comma-separated list.
- Users:
- Permissions: