Red Hat Linux 7.0: The Official Red Hat Linux Reference Guide | ||
---|---|---|
Prev | Chapter 2. System Administration | Next |
Managing users and groups has traditionally been tedious, but Red Hat Linux has a few tools and conventions that make users and groups easier to manage.
While you can use useradd to create a new user from the shell prompt, the easiest way to manage users and groups is through Linuxconf (see Chapter 3).
Next, we'll discuss the basic structure behind managing users and groups.
In Table 2-1, you'll find the standard users set up by the installation process (this is essentially the /etc/passwd file). The Group ID (GID) in this table is the primary group for the user. See the section called User Private Groups for details on how groups are used.
Table 2-1. Standard Users
User | UID | GID | Home Directory | Shell |
---|---|---|---|---|
root | 0 | 0 | /root | /bin/bash |
bin | 1 | 1 | /bin | |
daemon | 2 | 2 | /sbin | |
adm | 3 | 4 | /var/adm | |
lp | 4 | 7 | /var/spool/lpd | |
sync | 5 | 0 | /sbin | /bin/sync |
shutdown | 6 | 0 | /sbin | /sbin/shutdown |
halt | 7 | 0 | /sbin | /sbin/halt |
8 | 12 | /var/spool/mail | ||
news | 9 | 13 | /var/spool/news | |
uucp | 10 | 14 | /var/spool/uucp | |
operator | 11 | 0 | /root | |
games | 12 | 100 | /usr/games | |
gopher | 13 | 30 | /usr/lib/gopher-data | |
ftp | 14 | 50 | /var/ftp | |
nobody | 99 | 99 | / |
In Table 2-2, you'll find the standard groups as set up by the installation process (this is essentially the /etc/group file).
Table 2-2. Standard Groups
Group | GID | Members |
---|---|---|
root | 0 | root |
bin | 1 | root, bin, daemon |
daemon | 2 | root, bin, daemon |
sys | 3 | root, bin, adm |
adm | 4 | root, adm, daemon |
tty | 5 | |
disk | 6 | root |
lp | 7 | daemon, lp |
mem | 8 | |
kmem | 9 | |
wheel | 10 | root |
12 | ||
news | 13 | news |
uucp | 14 | uucp |
man | 15 | |
games | 20 | |
gopher | 30 | |
dip | 40 | |
ftp | 50 | |
nobody | 99 | |
users | 100 |
Red Hat Linux uses a user private group (UPG) scheme, which makes UNIX groups much easier to use. The UPG scheme does not add or change anything in the standard UNIX way of handling groups. It simply offers a new convention for handling groups. Whenever you create a new user, by default, he or she has a unique group. The scheme works as follows:
Each user has their own primary group, of which only they are a member.
The traditional UNIX umask is 022, which prevents other users and other members of a user's primary group from modifying a user's files. Since every user has their own private group in the UPG scheme, this "group protection" is not needed. A umask of 002 will prevent users from modifying other users' private files. The umask is set in /etc/profile.
If you set the setgid bit on a directory (with chmod g+s directory), files created in that directory will have their group set to the directory's group.
Most IT organizations like to create a group for each major project and assign people to the groups they should be in. Managing files traditionally has been difficult, though, because when someone creates a file it is owned by the primary group he or she belongs to. When a single person works on multiple projects, it becomes hard to associate the right files to the right ownership group. In the UPG scheme, groups are automatically assigned to files on a project-by-project basis, which makes managing group projects very simple.
Let's say you have a big project called devel, with many people editing the devel files in a devel directory. Make a group called devel, chgrp the devel directory to devel, and add the all the devel users to the devel group. Now, all devel users will be able to edit the devel files and create new files in the devel directory, and these files will always retain their devel group. Thus, they will always be edit-able by other devel users.
If you have multiple projects like devel, and users who are working on multiple projects, these users will never have to change their umask or group when they move from project to project. The setgid bit on each project's main directory "selects" the proper group.
Since each user's home directory is owned by the user and their private group, it is safe to set the setgid bit on the home directory. However, by default, files are created with the primary group of the user, so the setgid bit would be redundant.
Although UPG is not new to Red Hat Linux 7.0, many people still have questions about it, such as why UPG is necessary. The following is the rationale for the scheme.
You'd like to have a group of people work on a set of files in say, the /usr/lib/emacs/site-lisp directory. You trust a few people to mess around in there, but certainly not everyone.
So you enter:
chown -R root.emacs /usr/lib/emacs/site-lisp |
To allow the users to actually create files in the directory you enter:
chmod 775 /usr/lib/emacs/site-lisp |
But when a user creates a new file it is assigned the group of the user's default group (usually users). To prevent this you enter:
chmod 2775 /usr/lib/emacs/site-lisp |
But the new file needs to be mode 664 for another user in the emacs group to be able to edit it. To do this you make the default umask 002.
Well, this all works fine, except that if your default group is "users," every file you create in your home directory will be writable by everybody in "users" (usually everyone).
To fix this, you make each user have a "private group" as their default group.
At this point, by making the default umask 002 and giving everyone a private default group, you can easily set up groups that users can take advantage of without doing any magic. Just create the group, add the users, and do the above chown and chmod on the group's directories.