Admin groups in linux

What’s difference between group admin and adm?

There’s two similar groups in ubuntu: admin and adm , I found that /var/log/apache2 is in the adm group, and default sudoers includes admin group. What’s difference between the two?

3 Answers 3

The adm group is only good for viewing all the log files in /var/log (which historically used to be called /var/adm ). It has no relation to sudo or root .

So if I wasn’t part of adm, and I could sudo, would I be able to view the logs? Or must I be part of adm?

@CMCDragonkai the root user can generally do anything, so you still should be able to access /var/log.

@CMCDragonkai Sudo lets you become root, so yes. If root can do it, then so can someone with sudo access.

Admin is just wrong, it’s probably there as an example. Adm is a historical artifact. You can see if either group exists on your system and if there are files/directories owned by them. There may also be PAM (limits.conf) rules.

They are nothing magical. They are just normal groups that may or may not be used in some config or filesystem permission.

You can have a look at Securing Debian Manual for explanations to some of the names. If Ubuntu has a matching one, you might want that instead.

The admin group is valid on Ubuntu versions

The admin group is used to grant sudo access on ubuntu 11.10 and earlier.

You may also see it on 12.04 for backwards compatibility if you upgraded. If you did a fresh install you will probably not see it.

Up until Ubuntu 11.10, administrator access using the sudo tool was granted via the «admin» Unix group. In Ubuntu 12.04, administrator access will be granted via the «sudo» group. This makes Ubuntu more consistent with the upstream implementation and Debian. For compatibility purposes, the «admin» group will continue to provide sudo/administrator access in 12.04. [1]

As was mentioned above, adm is related to log access:

adm: Group adm is used for system monitoring tasks. Members of this group can read many log files in /var/log, and can use xconsole. Historically, /var/log was /usr/adm (and later /var/adm), thus the name of the group. [2]

Источник

Users and groups

Users and groups are used on GNU/Linux for access control—that is, to control access to the system’s files, directories, and peripherals. Linux offers relatively simple/coarse access control mechanisms by default. For more advanced options, see ACL, Capabilities and PAM#Configuration How-Tos.

Overview

A user is anyone who uses a computer. In this case, we are describing the names which represent those users. It may be Mary or Bill, and they may use the names Dragonlady or Pirate in place of their real name. All that matters is that the computer has a name for each account it creates, and it is this name by which a person gains access to use the computer. Some system services also run using restricted or privileged user accounts.

Managing users is done for the purpose of security by limiting access in certain specific ways. The superuser (root) has complete access to the operating system and its configuration; it is intended for administrative use only. Unprivileged users can use several programs for controlled privilege elevation.

Any individual may have more than one account as long as they use a different name for each account they create. Further, there are some reserved names which may not be used such as «root».

Users may be grouped together into a «group», and users may be added to an existing group to utilize the privileged access it grants.

Note: The beginner should use these tools carefully and stay away from having anything to do with any other existing user account, other than their own.

Permissions and ownership

The UNIX operating system crystallizes a couple of unifying ideas and concepts that shaped its design, user interface, culture and evolution. One of the most important of these is probably the mantra: «everything is a file,» widely regarded as one of the defining points of UNIX. This key design principle consists of providing a unified paradigm for accessing a wide range of input/output resources: documents, directories, hard-drives, CD-ROMs, modems, keyboards, printers, monitors, terminals and even some inter-process and network communications. The trick is to provide a common abstraction for all of these resources, each of which the UNIX fathers called a «file.» Since every «file» is exposed through the same API, you can use the same set of basic commands to read/write to a disk, keyboard, document or network device.

A fundamental and very powerful, consistent abstraction provided in UNIX and compatible operating systems is the file abstraction. Many OS services and device interfaces are implemented to provide a file or file system metaphor to applications. This enables new uses for, and greatly increases the power of, existing applications — simple tools designed with specific uses in mind can, with UNIX file abstractions, be used in novel ways. A simple tool, such as cat, designed to read one or more files and output the contents to standard output, can be used to read from I/O devices through special device files, typically found under the /dev directory. On many systems, audio recording and playback can be done simply with the commands, » cat /dev/audio > myfile » and » cat myfile > /dev/audio ,» respectively.

Every file on a GNU/Linux system is owned by a user and a group. In addition, there are three types of access permissions: read, write, and execute. Different access permissions can be applied to a file’s owning user, owning group, and others (those without ownership). One can determine a file’s owners and permissions by viewing the long listing format of the ls command:

total 13740 drwxr-xr-x 2 root root 4096 Jan 12 00:33 grub -rw-r--r-- 1 root root 8570335 Jan 12 00:33 initramfs-linux-fallback.img -rw-r--r-- 1 root root 1821573 Jan 12 00:31 initramfs-linux.img -rw-r--r-- 1 root root 1457315 Jan 8 08:19 System.map26 -rw-r--r-- 1 root root 2209920 Jan 8 08:19 vmlinuz-linux

The first column displays the file’s permissions (for example, the file initramfs-linux.img has permissions -rw-r—r— ). The third and fourth columns display the file’s owning user and group, respectively. In this example, all files are owned by the root user and the root group.

total 16 drwxrwx--- 1 root vboxsf 16384 Jan 29 11:02 sf_Shared

In this example, the sf_Shared directory is owned by the root user and the vboxsf group. It is also possible to determine a file’s owners and permissions using the stat command:

Источник

How to create, delete, and modify groups in Linux

Groups are an essential part of the Linux permission structure and a powerful way to manage file access on your system.

In Linux, groups are collections of users. Creating and managing groups is one of the simplest ways to deal with multiple users simultaneously, especially when dealing with permissions. The /etc/group file stores group information and is the default configuration file.

[ Keep your most commonly used commands handy with the Linux commands cheat sheet. ]

Linux admins use groups to assign access to files and other resources. Every group has a unique ID listed in the /etc/group file, along with the group name and members. The first groups listed in this file are system groups because the distribution maintainers preconfigure them for system activities.

Each user may belong to one primary group and any number of secondary groups. When you create a user on Linux using the useradd command, a group with the same name as the username is also created, and the user is added as the group’s sole member. This group is the user’s primary group.

Training & certification

Create and modify groups

To add a group in Linux, use the groupadd command:

When a group is created, a unique group ID gets assigned to that group. You can verify that the group appears (and see its group ID) by looking in the /etc/group file.

If you want to create a group with a specific group ID (GID), use the —gid or -g option:

$ sudo groupadd -g 1009 demo1

If group ID 1009 is already allocated to another group, you’re alerted that the GID is unavailable and the operation aborts. Rerun it with a different group ID number:

$ sudo groupadd -g 1010 demo1

Change the group ID

You can change the group ID of any group with the groupmod command and the —gid or -g option:

$ sudo groupmod -g 1011 demo1

Great Linux resources

Rename a group

You can rename a group using groupmod with the —new-name or -n option:

$ sudo groupmod -n test demo1

Verify all these changes from the /etc/group file.

Add and remove users from a group

Suppose you have existing users named user1 and user2, and you want to add them to the demo group. Use the usermod command with the —append —groups options ( -a and -G for short):

$ sudo usermod --append --groups demo user1 $ sudo usermod -aG demo user2

Look in the /etc/group file or use the id command to confirm your changes:

$ id user1 uid=1005(user1) gid=1005(user1) groups=100(users),1009(demo)

To remove a specific user from a group, you can use the gpasswd command to modify group information:

$ sudo gpasswd --delete user1 demo

Alternatively, manually edit the /etc/group file and remove the user from any number of groups.

Источник

What is the difference between the ‘sudo’ and ‘admin’ group?

My user account with «Administer the system» privileges is in the admin group, and there don’t appear to be any users in the sudo group. What are these two groups for?

3 Answers 3

Ubuntu 12.04 LTS and later

Administrators are added to the sudo group, but the admin group is supported for backward compatibility. From the release notes:

Up until Ubuntu 11.10, administrator access using the sudo tool was granted via the admin Unix group. In Ubuntu 12.04, administrator access will be granted via the sudo group. This makes Ubuntu more consistent with the upstream implementation and Debian. For compatibility purposes, the admin group will continue to provide sudo/administrator access in 12.04.

It is not created when you do a fresh install, though it is still present if you upgraded from previous distributions. Either way, the admin group appears in the /etc/sudoers file.

Cool. Thanks! Could you please add an explanation about the difference between ALL=(ALL) and ALL=(ALL:ALL) ?

Ubuntu 11.10 and earlier

By default the sudo group is not used in Ubuntu:

• the user created during installation belongs to admin group, not sudo ;
• no guide or manual I ever read advices to use the sudo group;
• no one feels the need to use the sudo group, because the admin group can do all one needs.

Conversely, on Debian the group enabled in /etc/sudoers is the sudo group, and there is no admin group. But the user created during installation is not put in that group, because Debian has the root account enabled. You should do it explicitly, if you want to.

Also, Fedora is similar to Debian, having root enabled and no default privileges for the user create during installation. But the administrative group configured in /etc/sudoers is the more traditional group wheel .

In conclusion, I think there is no use for sudo group in Ubuntu, simply it is a Debian heritage.

Источник