Managing Users and Group part2
In our last post Managing Users and group part1. We saw various aspects of user creation in Linux system. In this page we try to understand things come across while creating Linux Groups and their relevance.
How groups are important
In any operating system Groups are used for many purpose, Mostly use to categorize Users, access control list, permission over system resources. It always provide easy platform to work in huge infrastructure or with required predefined access.
Freshly installed operating system always have some groups that have access to some resource, have special permission, control over resources which has access to their member.
It is always easy to grant and revoke access to groups as it get effect on all its users instead of work on individual users.
Creation of group
In Linux we have many group that were created during Linux installation, these are mostly used to provide access on system resource and process to their members, which make system more secure and categorize to help while implementation of application.
In “/etc/login.defs” file, system mentioned GID used to maintain for system and non-system groups.
# Min/max values for automatic gid selection in groupadd GID_MIN 1000 GID_MAX 60000 # System accounts SYS_GID_MIN 201 SYS_GID_MAX 999
So whenever we create and group, it will automatically assigned GID as per variables used in above output.Let’s create some groups.
User private groups
In Linux machines, Every user has its own private group which has same name as of User, this also called user private group (UPG)scheme. This make safe to assign default permission on newly created file and directories.
[root@srv7 ~]# useradd u1 User creation also crated one same name group [root@srv7 ~]# groups u1 u1 : u1 [root@srv7 ~]# grep u1 /etc/passwd u1:x:1000:1000::/home/u1:/bin/bash [root@srv7 ~]# grep u1 /etc/group u1:x:1000:
In above mentioned output, user creation also created same name group with same user member.
Groups can be create that are not tagged to any user initially, we need add users for them with usermod command or could also add while creating users with -G option.
Addition of Group # groupadd g1 Addition of group with one secondary group # useradd -G g1 u1 New user has two group # groups u1 u1 : u1 g1 Addition of User # useradd u2 # groups u2 u2 : u2 User Modification with addition of group # usermod -G g1 u2 # groups u2 u2 : u2 g1
This way we can create user with group membership and can use to maintain to use of system resources.
Many Organization create linux/unix group for department’s team members, So all team members can save and access their data on single storage and could assign group permission to all team members easily. So all user user of same group could create and access this directory. But when any user create any file or directory inside that Group directory that will have group ownership of its primary group which create issues for other users, for same you can assign setgid bit that maintain common group ownership of group directory.With setgid bit any users save its own data in Group directory with secondary group of team owned that directory.
We can also manage this directory without root user, we have facility that way any normal user can can manage group administration. We can set password and administrator for group like below.
As wrote above we can set group password, which used to manage group membership like mentioned below.
# gpasswd Sales Changing the password for group Sales New Password: Re-enter new password:
This password is used through any normal user to became group member.
[kamal@centos7-box ~]$ groups kamal [kamal@centos7-box ~]$ newgrp Sales Password: [kamal@centos7-box ~]$ groups Sales kamal
This way any user could take group membership benefits anytime with group password. But sure if we take about security we never suggest to share group password publicly, for same reason we could manage assigning Group administrators for these groups.
As wrote above we could assign group administrator which could manager group membership for their team mates, we could make Team leader User account as Group Administrator for Team’s Group so when ever any new member join team, Team Leader could add new members in Linux secondary group that they could also avail group data.
We tried to show same in below mentioned examples.
Add Steve as group Administrator [root@centos7-box ~]# gpasswd -A steve IT Steve is still not member of this group [root@centos7-box ~]# groups steve steve : steve Steve could Add and remove Mahesh to this group Mahesh has no secondary group [steve@centos7-box ~]$ groups mahesh mahesh : mahesh Steve add Mahesh to this group [steve@centos7-box ~]$ gpasswd -a mahesh IT Adding user mahesh to group IT [steve@centos7-box ~]$ groups mahesh mahesh : mahesh IT r=lightgreen>Steve remove Mahesh from this group [steve@centos7-box ~]$ gpasswd -d mahesh IT Removing user mahesh from group IT
With above command and output, its quite clear that in Linux commands we have complete power and features to make Linux user and group administration effective and easy. There could many more commands and ways to your stuff. We will cover some of them again in next post