Users
can be listed in groups. Groups allow you to set permissions on the group level
instead of having to set permissions for every individual user. Every Unix or
Linux distribution will have a graphical tool to manage groups. Novice users
are advised to use this graphical tool. More experienced users can use command
line tools to manage users.
groupadd
Groups can
be created with the groupadd command. The example below shows the
creation
of five (empty) groups.
root@linux:~#
groupadd tennis
root@linux:~#
groupadd football
root@linux:~#
groupadd snooker
root@linux:~#
groupadd formula1
root@linux:~# groupadd salsa
/etc/group
Users can
be a member of several groups. Group membership is defined by the /etc/group
file.
root@linux:~#
tail -5 /etc/group
tennis:x:1006:
football:x:1007:
snooker:x:1008:
formula1:x:1009:
salsa:x:1010:
root@linux:~#
The first
field is the group's name. The second field is the group's (encrypted) password
(can be empty). The third field is the group identification or GID. The fourth
field is the list of members, these groups have no members.
usermod
Group
membership can be modified with the useradd or usermod command.
root@linux:~#
usermod -a -G tennis inge
root@linux:~#
usermod -a -G tennis katrien
root@linux:~#
usermod -a -G salsa katrien
root@linux:~#
usermod -a -G snooker sandra
root@linux:~#
usermod -a -G formula1 annelies
root@linux:~#
tail -5 /etc/group
tennis:x:1006:inge,katrien
football:x:1007:
snooker:x:1008:sandra
formula1:x:1009:annelies
salsa:x:1010:katrien
root@linux:~#
Be careful
when using usermod to add users to groups. By default, the usermod command
will remove the user from every group of which he is a member if the
group is not listed in the command! Using the -a (append) switch
prevents this behaviour.
groupmod
You can
change the group name with the groupmod command.
root@linux:~#
groupmod -n darts snooker
root@linux:~#
tail -5 /etc/group
tennis:x:1006:inge,katrien
football:x:1007:
formula1:x:1009:annelies
salsa:x:1010:katrien
darts:x:1008:Sandra
groupdel
You can
permanently remove a group with the groupdel command.
root@linux:~#
groupdel tennis
root@linux:~#
groups
A user can
type the groups command to see a list of groups where the user belongs
to.
[harry@Linux
~]$ groups
harry
sports
[harry@Linux
~]$
gpasswd
You can
delegate control of group membership to another user with the gpasswd command.
In the example below we delegate permissions to add and remove group members to
serena for the sports group. Then we su to serena and add harry to the sports
group.
[root@Linux
~]# gpasswd -A serena sports
[root@Linux
~]# su - serena
[serena@Linux
~]$ id harry
uid=516(harry)
gid=520(harry) groups=520(harry)
[serena@Linux
~]$ gpasswd -a harry sports
Adding
user harry to group sports
[serena@Linux
~]$ id harry
uid=516(harry)
gid=520(harry) groups=520(harry),522(sports)
[serena@Linux
~]$ tail -1 /etc/group
sports:x:522:serena,venus,harry
[serena@Linux
~]$
Group
administrators do not have to be a member of the group. They can remove themselves
from a group, but this does not influence their ability to add or remove members.
[serena@Linux
~]$ gpasswd -d serena sports
Removing
user serena from group sports
[serena@Linux
~]$ exit
Information
about group administrators is kept in the /etc/gshadow file.
[root@Linux
~]# tail -1 /etc/gshadow
sports:!:serena:venus,harry
[root@Linux
~]#
To remove
all group administrators from a group, use the gpasswd command to set an
empty administrators list.
[root@Linux
~]# gpasswd -A "" sports
No comments:
Post a Comment