Adminbuntu

Everything for the Ubuntu Server Administrator

User Tools

Site Tools


Sidebar

Server Administration


Server Applications


At the Command Line


Elsewhere


Copyright 2013 Applied Conscious Technologies, LLC

Terms of Agreement

Contact


submit to reddit

groups

Server Administration

Ubuntu Groups

Administrating Ubuntu Server Groups

see also: Users

Groups in Unix and Linux are a means to increase security and control access to system resources. In conjunction with user permissions, group permissions control access to files, directories and devices. In classic Unix fashion, the primary means of controlling access is through filesystem abstraction, where even devices appear as files and are accessed like files. To the degree that it is possible, everything in the system is treated like a file. Each file has permissions for the file's owner user, group and others.

A user or other account can be assigned to a group in two ways. The user has a primary group, which is specified in the /etc/passwd file. In /etc/passwd, there is one line of text per user on the system, delineated with colon characters. The group ID (GIU) is an integer in the fourth field.

A user can also have supplementary groups, which are assigned in the /etc/group file. This file is where groups are defined, with one line of text per group. The last field in a group's line contains a list of users in that group. Thus, you will not see the user listed in /etc/group for that user's primary group.


Group Management

List Groups

The group file is a text file, with one line per group which has the group name followed by usernames in that group.

So, just list the file:

cat /etc/group

Create a Group

sudo groupadd groupname

Delete a Group

Deleting a group is a process. First you must find all directories and files that have that group and change the group for these.

Then, delete the group with:

sudo groupdel groupname

Note that this simply removes the group and associated users from the /etc/group file.

Group User Management

Add a User to a Group

This adds another group to a user without affecting the user's current groups.

sudo usermod -aG groupname username

The user will be in that group after the next login.

option description
-a Add the user to the supplementary group(s). Use only with the -G option.
-G A list of supplementary groups which the user is also a member of. Each group is separated from the next by a comma, with no intervening whitespace. The groups are subject to the same restrictions as the group given with the -g option. If the user is currently a member of a group which is not listed, the user will be removed from the group. This behavior can be changed via the -a option, which appends the user to the current supplementary group list.

Example

For example, let's say Steve is a web developer for your organization. To add steve to the adm group, enter:

sudo usermod -aG adm steve

This will allow steve to see log files. See Ubuntu Groups and Adm Group

Avoid a common mistake

When first learning to manage groups in a Unix environment, it is a common mistake to clobber a user's supplementary groups by leaving the -a (add) option off the above command. This replaces all of that user's groups (except the primary group) with the one you specify in the command.

Delete a User from a Group

This removes a user names username from the groupname group.

sudo gpasswd -d username groupname
option description
-d Remove the user from the named group.

List Group Members

There is an optional command called members that lists the members of a group.

Installation

sudo aptitude -y install members

Using Members

members groupname

List a User's Groups

groups username

If username is omitted, your own groups will be listed.

Another good tool for this is id, which will print information about a user.

id username

Group File Management

Find a Group's Files

The find command, which is the swiss army knife of finding files, is just the ticket to finding a group's files. The following command lists all of group's files in the current directory and all the lower directories.

find . -group groupname -print

Group Read/Write Rights

This example allows users in a group called webmasters all to have permissions to write to /base/var/www/www.example.com.

sudo chgrp -R webmasters /base/var/www/www.example.com
sudo find /base/var/www/www.example.com -type d -exec chmod g=rwxs "{}" \;
sudo find /base/var/www/www.example.com -type f -exec chmod g=rws  "{}" \;
command description
chgrp Change the group ownership of files.
chown Change the owner of files.
gpasswd Administer the /etc/group and /etc/gshadow files.
groupadd Create a new group.
grpck Verify the integrity of group files.
grpconv Creates /etc/gshadow from the file /etc/group. Creates shadow passwords.
grpunconv Creates group from group and gshadow and then removes gshadow.
groupdel Delete a group.
groupmod Modify a group.
groups Print the groups a user is in.
id Print real and effective user and group IDs.
vigr Edit the /etc/group file.
vipw Edit the /etc/passwd file.

Ubuntu Groups

A partial list of groups used in Ubuntu Linux.

group description
admin Can be used to control access to admin-only entities like the sudo command.
adm Members can read most log files.
cdrom Members can use CD and DVD drives.*
dialout Members can use serial ports.
lp Used by the printer system.
lpadmin Members can configure printer settings.
news User for Usenet news.
plugdev Group members can mount removable (ie. USB) media.
root The primary group for thr root account.
sambashare Members can share files via Samba.
sudo Can be used to control access to the sudo command.
uucp The group that uucp belongs to.
www-data www-data is the primary group for Apache. www-data is also the username assigned to Apache.

Adm Group

For an example about how a group can enhance security and functionality, examine the adm group. This members of this group are allowed to view the contents of most of the common system log files, which can be used to monitor activity or provide clues to be used in problem solving. To see “adm” group log files:

ls -lhR /var/log | grep adm

The output of the above command displays log files that members of adm can view. So, adding someone to the adm group allows that person to see what is going on in the system without being added to the sudo group (which can allow a user to run commands as root).

Cdrom Group

This group controls access to optical media hardware devices.

See why the “cdrom” group works:

ls -lh /dev | grep cdrom

The cdrom group allows user members to use the CD or DVD drives on the system. Since devices are accessed like files, it is possible to control access to devices exactly like access to files and directories.

Sudo Group

By default, Ubuntu has a sudo group. This group can be used to control which users can access the sudo command. To configure your system for this, run:

sudo visudo

You might see a line like this one, depending on the version of Ubuntu your have installed:

#%sudo ALL=NOPASSWD: ALL

Remove the # character from the beginning of the line to allow members of the sudo group to use sudo. By removing this character, you are “un-commenting” the line, converting it from a comment line (which begin with a # character) to an active line.

The above is sometimes considered an unsafe version (unless admins are conscientious about logging out of a session when leaving their desk) - it will allow you to run commands as su without a password. It is much more usual for sudoers to have to enter a password to run commands as su. The entry to make for that is:

%sudo ALL=(ALL): ALL

Note that the visudo command causes your default editor to open a copy of /etc/sudoers. After editing, the temporary copy you have edited is checked and then copied back to /etc/sudoers.

Shell Script to Check Whether a Group Exists

#!/bin/bash
# usage: groupexists groupname
GROUPNAME="$1"
/bin/egrep -i "^$GROUPNAME" /etc/group > /dev/null
if [ $? -eq 0 ]; then
   echo "User $GROUPNAME exists in /etc/group"
else
   echo "User $GROUPNAME does not exist in /etc/group"
fi

groups.txt · Last modified: 2015/05/31 21:20 (external edit)