Groups: Managing Access Permissions

Groups: Managing Access Permissions

Every file and folder in a GNU/Linux system belongs to a group. Each user is also a member of a group. Groups are used to control collections of users who may have access to particular files and folders.

A Debian GNU/Linux system creates some standard groups and users. The system administrator can also create new users and may also create new groups. Groups can be managed using the Gnome users-admin tool, accessed from Applications-->System Tools-->Users and Groups. By default this shows only users, but you can access groups by selecting the More Options button. This allows you to add new groups and to add and remove users from groups.

**Figure 42.1:** Gnome interface for managing GNU/Linux groups.

We list below the standard groups and users, but the reader is referred to /usr/share/doc/base-passwd/users-and-groups.html for further details.

Group gid Description

root 0 This is root's primary group.

daemon 1 A group for non-root daemons.

bin 2 This group exists for historical reasons and some programs won't run without it.

sys 3 This group exists for historical reasons and some programs won't run without it.

adm 4 Most of the log files (in /var/log) are group readable by users who belong to his group. You can add users who need to monitor such log files to this group. Note though that sometimes private information can be accidentally included in logs, like passwords when connecting via PPP over a Modem. This should not happen (the scripts that write the logs should identify these as not being echoed) but the potential for mistakes is there.

tty 5 The terminal devices with names beginning with /dev/tty are group accessible to group tty. Programs such as write and wall need access to /dev/tty and they set their group id (sgid) to tty.

disk 6 The disk device nodes are group accessible to disk so that programs that need access to them are sgid disk.

lp 7 Jobs associated with the lp (printer) daemon (lpd) are group accessible to the lp group so that lpd can access them without being root.

mail 8 mailbox spool directories belong to group mail, MUA software runs setgid mail. This makes dot locking possible. Also, mailboxes must be writeable by group mail (Policy Manual, 3.1.1.1, 5.6).

news 9 standard group for user news. Why does news have its own group, and many of the other daemon uids don't?

uucp 10 uucp jobs are group accessible to uucp.

proxy 13 web cache files are group accessible to proxy.

kmem 15 /proc/kmem is group accessible to kmem. Programs that need access are sgid kmem.

dialout 20 ppp- and isdn device nodes are group accessible to dialout. Include users allowed to initiate dialout in this group.

fax 21 fax jobs are group accessible to fax.

voice 22 voice messages are group accessible to voice (vgetty)

cdrom 24

floppy 25

tape 26 for device nodes. Include users allowed to access these in the appropriate groups.

sudo 27

audio 29 for device nodes. Include users allowed to access sound in this group

dip 30 For daemons running under their own uid/gid. Why are these static?

majordom 30 For daemons running under their own uid/gid. Why are these static?

postgres 32 For daemons running under their own uid/gid. Why are these static?

www-data 33 This has been discussed in the past, and the discussion is not finally finished. Today, www data files belong to this group and the web servers run with that group, thus being able to write the files. This has been considered a security hole, but was not yet changed.

backup 34

msql 36 For daemons running under their own uid/gid. Why are these static?

operator 37

list 38

irc 39 For daemons running under their own uid/gid. Why are these static?

src 40 This group is intended for users who need to access source code, including files in /usr/src. Users in this group can thus manage system source code. Also, this group is the default group for access to the CSV repository in /var/lib/csv.

gnats 41 For daemons running under their own uid/gid. Why are these static?

shadow 42 Programs that should be able to access the shadow passwords are sgid shadow.

utmp 43 Programs that should be able to access utmp are sgid utmp.

video 44

staff 50 This group is used to control access to /usr/local. Add users to this if they should be able to write to /usr/local and /var/local.

games 60 games that store user independent high score values in /var/lib/games are sgid games

qmail 70 used for qmail

users 100 All users belong to this group. Place files that all users should have access to in this group.

Group	gid	Description
root	0	This is root's primary group.
daemon	1	A group for non-root daemons.
bin	2	This group exists for historical reasons and some programs won't run without it.
sys	3	This group exists for historical reasons and some programs won't run without it.
adm	4	Most of the log files (in `/var/log`) are group readable by users who belong to his group. You can add users who need to monitor such log files to this group. Note though that sometimes private information can be accidentally included in logs, like passwords when connecting via PPP over a Modem. This should not happen (the scripts that write the logs should identify these as not being echoed) but the potential for mistakes is there.
tty	5	The terminal devices with names beginning with `/dev/tty` are group accessible to group tty. Programs such as write and wall need access to `/dev/tty` and they set their group id (sgid) to tty.
disk	6	The disk device nodes are group accessible to disk so that programs that need access to them are sgid disk.
lp	7	Jobs associated with the lp (printer) daemon (lpd) are group accessible to the lp group so that lpd can access them without being root.
mail	8	mailbox spool directories belong to group mail, MUA software runs setgid mail. This makes dot locking possible. Also, mailboxes must be writeable by group mail (Policy Manual, 3.1.1.1, 5.6).
news	9	standard group for user news. Why does news have its own group, and many of the other daemon uids don't?
uucp	10	uucp jobs are group accessible to uucp.
proxy	13	web cache files are group accessible to proxy.
kmem	15	/proc/kmem is group accessible to kmem. Programs that need access are sgid kmem.
dialout	20	ppp- and isdn device nodes are group accessible to dialout. Include users allowed to initiate dialout in this group.
fax	21	fax jobs are group accessible to fax.
voice	22	voice messages are group accessible to voice (vgetty)
cdrom	24
floppy	25
tape	26	for device nodes. Include users allowed to access these in the appropriate groups.
sudo	27
audio	29	for device nodes. Include users allowed to access sound in this group
dip	30	For daemons running under their own uid/gid. Why are these static?
majordom	30	For daemons running under their own uid/gid. Why are these static?
postgres	32	For daemons running under their own uid/gid. Why are these static?
www-data	33	This has been discussed in the past, and the discussion is not finally finished. Today, www data files belong to this group and the web servers run with that group, thus being able to write the files. This has been considered a security hole, but was not yet changed.
backup	34
msql	36	For daemons running under their own uid/gid. Why are these static?
operator	37
list	38
irc	39	For daemons running under their own uid/gid. Why are these static?
src	40	This group is intended for users who need to access source code, including files in /usr/src. Users in this group can thus manage system source code. Also, this group is the default group for access to the CSV repository in `/var/lib/csv`.
gnats	41	For daemons running under their own uid/gid. Why are these static?
shadow	42	Programs that should be able to access the shadow passwords are sgid shadow.
utmp	43	Programs that should be able to access utmp are sgid utmp.
video	44
staff	50	This group is used to control access to `/usr/local`. Add users to this if they should be able to write to `/usr/local` and `/var/local`.
games	60	games that store user independent high score values in /var/lib/games are sgid games
qmail	70	used for qmail
users	100	All users belong to this group. Place files that all users should have access to in this group.