Web page hosting, cheap domain name & website promotion services
  

 Home
Red Hat Linux 7.2: The Official Red Hat Linux Reference Guide
PrevChapter 2. Users and GroupsNext

User Private Groups

Red Hat Linux uses a user private group (UPG) scheme, which makes UNIX groups easier to use. The UPG scheme does not add or change anything in the standard UNIX way of handling groups; it simply offers a new convention. Whenever you create a new user, by default, they have a unique group. The scheme works as follows:

User Private Group

Every user has a primary group; the user is the only member of that group.

umask = 002

Traditionally, on UNIX systems the umask is 022, which prevents other users and other members of a user's primary group from modifying a user's files. Since every user has their own private group in the UPG scheme, this "group protection" is not needed. A umask of 002 will prevent users from modifying other users' private files. The umask is set in /etc/profile.

setgid bit on Directories

If you set the setgid bit on a directory (with chmod g+s directory), files created in that directory will have their group set to the directory's group.

Many IT organizations like to create a group for each major project and then assign people to the group if they need to access that group's files. Using this traditional scheme, managing files has been difficult because when someone creates a file, it is associated with the primary group to which they belong. When a single person works on multiple projects, it is difficult to associate the right files with the right group. Using the UPG scheme, however, groups are automatically assigned to files created within a directory with the setgid bit set, which makes managing group projects that share a common directory very simple.

For example, say you have a big project called devel, with many people editing the devel files in a devel directory. Make a group called devel, chgrp the devel directory to devel, and add all of the devel users to the devel group.

You can add a user to a group using redhat-config-users (see the Official Red Hat Linux Customization Guide), or if you prefer to use the command line, use the /usr/sbin/groupadd groupname command to create a group. The /usr/bin/gpasswd -a loginname groupname command will add a user loginname to a group. (See the groupadd and gpasswd man pages if you need more information on their options.) The /etc/group file contains the group information for your system.

If you created the devel group, added users to the devel group, changed the group for devel directory to the devel group, and set the setgid bit for the devel directory, all devel users will be able to edit the devel files and create new files in the devel directory. The files they create will always retain their devel group status, so other devel users will always be able to edit them.

If you have multiple projects like devel and users who are working on multiple projects, these users will never have to change their umask or group when they move from project to project. If set correctly, the setgid bit on each project's main directory "selects" the proper group for all files created in that directory.

Since each user's home directory is owned by the user and their private group, it is safe to set the setgid bit on the home directory. However, by default, files are created with the primary group of the user, so the setgid bit would be redundant.

User Private Group Rationale

Although UPG has existed in Red Hat Linux for quite some time, many people still have questions about it, such as why UPG is necessary. Consider the following scenario on a system without UPG:

  • You would like to have a group of people work on a set of files in the /usr/lib/emacs/site-lisp directory. You trust a few people to modify the directory but certainly not everyone.

  • So, first you create an emacs group: 

    /usr/sbin/groupadd emacs

    Next, you enter: 

    chown -R root.emacs /usr/lib/emacs/site-lisp

    to associate the contents of the directory with the emacs group and add the proper users to the group: 

    /usr/bin/gpasswd -a <username> emacs

  • To allow the users to actually create files in the directory you enter: 

    chmod 775 /usr/lib/emacs/site-lisp

  • But when a user creates a new file it is assigned the group of the user's default group (usually users). To prevent this you enter: 
    chmod 2775 /usr/lib/emacs/site-lisp

    which causes everything in the directory to be created with the emacs group.

  • But the new file needs to be mode 664 for another user in the emacs group to be able to edit it. To do this you make the default umask 002.

  • Well, this all works fine, except that if your default group is users, every file you create in your home directory will be writable by everybody in users (usually everyone).

  • To fix this, you make each user have a "private group" as their default group.

At this point, by making the default umask 002 and giving everyone a private default group, you can easily set up groups that users can take advantage of without any extra work every time users write files to the group's common directory. Just create the group, add the users, and do the above chown and chmod on the group's directories.

PrevHomeNext
Standard GroupsUpShadow Utilities
 

 

 

 

Buy Cheap domains and domain register |  Cheap domain registration and transfer 

Disclaimer: For authoritative source or latest update to this documentation, please refer to http://www.redhat.com/docs/manuals/linux/

 

 
Quotes: The tree which moves some to tears of joy is in the eyes of others only a green thing that stands in the way. Some see nature all ridicule and deformity - and some scarce see nature at all. But to the eyes of the man of imagination, nature is imagination itself.Genius: To know without having learned; to draw just conclusions from Anonymous premises; to discern the soul of things.A specialist is one who knows everything about something and nothing about anything else.