Linux include group in group

Group does not show up in groups command

I added a new group. Then I logged out, and logged back in, but the groups command does not show the group. If I try to add the group, I get an error. What gives?

me@z80hd2:~$ groupadd sdk_users groupadd: group 'sdk_users' already exists me@z80hd2:~$ groups me adm cdrom sudo dip plugdev lpadmin sambashare me@z80hd2:~$ 

The groups command prints the groups a user is in — it does not list all the groups that may exist

try grep sdk_users /etc/group to see if sdk_users is in local group (local=group defined in the host you are in).

2 Answers 2

Because you are me as a user :). So you can only see the groups you are in. If you want to see the group you created, you should look at /etc/group:

cat /etc/group | grep sdk_users sdk_users:x:1001: 

The groupadd command creates a group on the system. It does not make your user a member of that group.

The groups command will list group memberships for your user account, and won’t tell you about system groups that you don’t belong to.

Unless you have a complex authentication system, the group has most likely been added to the /etc/group file, which is why groupadd sdk_users tells you the group exists. You can check that it exists by running grep sdk_users /etc/group .

A typical entry in /etc/group contains a list of of the form

GROUP_NAME:PASSWORD:NUMERIC_GID:USER1,USER2,USER3 

The password is typically ‘x’ meaning no password. If the users part is blank, then no users are a member of the group.

Based on the fact that you’re expecting results from logging out and running group , I assume you are expecting your user to be a member of sdk_users. groupadd does not add your user. You’ll need to run another command to add your user to the group. On Debian-based systems (and I assume others) the command is

usermod --append --groups sdk_users me 

This modifies group membership for the user «me» to include the group «sdk_users», in addition to all the groups you’re already a member of.

Once your user is added to the group, you’ll need to log out and back in. Then you should see the new group listed when you run groups .

To learn more about usermod, you can type man usermod at the terminal, or just do an internet search for «usermod manpage», however after looking over the groupadd manpage I can definitely see that the information isn’t necessarily clear enough for someone new to *nix.

Источник

Group within group file permissions

I tried finding this on here, but couldn’t so sorry if it’s a duplicate. Say I have 2 groups and a user: group1, group2, user1 with the following structure: group1 is a member of group 2, user1 is a member of group1 Now say I have the following files with relevant permissions

file1 root:group1 660 file2 root:group2 660 

Now when I log into user1, I’m able to edit file1, but not edit file2. Short of adding user1 to group2, is there any way of doing this? or is there no way? I’m using Ubuntu btw.

If I’m not mistaken, the classic group-based permissions in Linux do not allow you to put a group inside another group. So did you installed something which enables this feature?

Читайте также:  Количество одновременных подключений linux

A User can be a member of several groups. If you add User1 to group2 he is able to change File2. The command of your choice would be useradd.

@user1146332 The whole point is to not add user1 to group2. If that is the only way then I can do that, but theoretically I’d prefer a group nesting structure.

1 Answer 1

There is no such thing as a group being a member of a group. A group, by definition, has a set of user members. I’ve never heard of a feature that would let you specify “subgroups” where members of subgroups are automatically granted membership into the supergroup on login. If /etc/group lists group1 as a member of group2 , it designates the user called group1 (if such a user exists, which is possible: user names and group names live in different name spaces).

If you want user1 to have access to file2, you have several solutions:

  • Make file2 world-accessible (you probably don’t want this)
  • Make user1 the owner of file2: chown user1 file2
  • Add user1 to group2: adduser user1 group2
  • Add an ACL to file2 that grants access to either user1 or group`:
setfacl -m user:user1:rw file2 setfacl -m group:group1:rw file2 

Источник

Adding a user to multiple groups in Linux

In Linux, users are put into groups to control access to various files and devices. In many cases, the user will have to be in multiple groups. Did you know that you can add the user to multiple groups at once?

How to add a single user to multiple groups: To add a user to more than one group at a time you can use usermod: “usermod -a -G groupname, anothergroup username”. The -a switch, in usermod syntax, is important. As it tells usermod not to overwrite current groups.

Here is an example if we were to add the user max to the sudo group and the lpadmin group:

usermod -a -G sudo,lpadmin max

Note that the user will have to log out and back in again if he or she is currently logged in.

Another less common method is to use the gpasswd command to add a user to a group. But the gpasswd command will only allow you to add to one group at a time.

Add a user to multiple groups when creating the user

You can also add a user to the groups he should belong to while creating the user. Just add the -G argument to the useradd command. In the following example, we will add the user max and add him to the sudo and lpadmin groups.

useradd -G sudo,lpadmin max

This will also add the user to his primary group. The primary group is usually named after the user. So in the example above, the user max will belong to two groups: max and sudo. If you want to override this behaviour, you can specify the primary group with the lower case -g argument.

useradd -g users -G sudo,lpadmin max

I have added some more commands below that can be useful when working with groups. Keep reading if you want to know more.

Not all groups are the same

When working with groups in Linux, it is important to note that the user will have two kinds of group assignments.

The primary group

The first type of group assignment is the primary group. This is the user’s main group. Every user must belong to one, and only one, primary group. This group is used as the default group of files that the user creates and is basically only meant for this user and users he wants to grant access to his files.

The primary group usually has the same name as the user. Like the user max, most likely has the primary group max. This is the most common configuration in Linux. Some systems, however, will have all regular users belong to some generic primary group like users and then have administrators belong to a generic admin group.

Secondary groups

The second type of group is a secondary group. Every user can be assigned to multiple secondary groups. The secondary group can be another user’s group or a special group that gives users some particular permissions. One example of a secondary group is the sudo group in Ubuntu and many other distros. Users that are assigned to the sudo group are allowed to use the sudo command to execute commands as the root user.

In the command examples above, the upper case -G always refers to the secondary groups and a lower case -g refers to the primary group. If only the upper case -G is specified, the command will not have any effect on the primary group and vice versa.

List groups a user belongs to

Before you add a user to some groups it could be helpful to know what groups he is already a member of. The quickest method to list all groups a particular user is a member of is to use the groups command. Here we will list all groups the user max belongs to:

If I just want to quickly get a list of groups I myself belong to. I can enter the group command without any arguments. It will then assume that I want the groups of the currently logged in user.

List all groups that the current user belongs to using the groups command.

You could also get this from the /etc/group file. This file contains all the groups that exist in your system. As well as their members. The get all the groups the user max belongs to, use grep to extract all mentions of max in the group file.

List users in a group

What if you want it the other way around? To print all the users that are in some group.

One way would be to use grep as we did above. But instead of searching for the user, we now search for the group name. Like in this example, where we try to find which users belong to the sudo group.

Some Linux distributions also include the groupmems utility. Groupmems is a tool to administrate groups on a system. Since it is not always included, I only mention it here as a second option:

Remove a user from a group

Surprisingly, usermod does not have any option to remove a user from a group. It does have the option of overwriting the current group memberships a user has. This is not very convenient, since you would have to list all the groups a user has and then enter them again on the command line. In which case you just need to skip the -a argument in the usermod command.

It is a lot easier to use the gpasswd command. You simply use the “–del username” argument. Here we will remove the user max from the sudo group:

List all existing groups

If I wanted to see all the groups that exist on a system, I would simply look at the /etc/group file. Using the cat command, that is quite easy to do:

It is also possible to use the getent command:

This will show you some extra information like the group id (GID) and a list of members of the group. If you just want the group names, the cut command can remove all the extra information:

That’s it for now

Hopefully, you know have a solid understanding of how to add users to groups now.

Источник

Setting multiple groups as directory owners

On my server I have directory /srv/svn . Is it possible to set this directory to have multiple group ownerships, for instance devFirmA , devFirmB and devFirmC ? The point is, I want to subversion version control manage multiple users accross multiple repositories and I do not know how to merge /srv/svn , the root directory of repositories, permissions. I have, for instance, three firms, FirmA , FirmB and FirmC . Now, inside /srv/svn I’ve created three directories, FirmA , FirmB , FirmC and inside them I’ve created repository for each project and now I do not know how to establish permission scheme since all elementes inside /srv/svn are owned by root:root , which is not ok, or am I wrong?

Do the firm groups access each others files? Or are they completely separate, other than sharing a parent directory?

@TechZilla firm group MUST Not access each others files, ther MUST be separated, only I must have access to all directories.

OK, I posted the correct answer, you should not use ACLs for this. They are a last resort option, this problem is still a very common one.

5 Answers 5

You can only have one group as owner.

However using access control lists you can define permissions for other groups.

Check if you have ACL installed issuing the command getfacl . If your system hasn’t ACL installed, install the command line tools which are in the acl package with: sudo apt-get install acl

With getfacl you can read the ACL information of a directory or other file, and with setfacl you can add groups to a file.

setfacl -m g:devFirmB:rwx /srv/svn/ 

Adds the group devFirmB with read, write, execute permissions to directory /srv/svn .

If you also want files created in that directory to be owned by multiple groups, set the ACL as the default ACL. The X in the default group entry means “allow execution if executable by the owner (or anyone else)”.

setfacl -m g:devFirmB:rwx /srv/svn/ setfacl -d -m g:devFirmB:rwX /srv/svn/ 

This is an extremely common problem, if I understand it accurately, and I encounter it constantly. If I used ACLs for every trivial grouping problem, I would have tons of unmanageable systems. They are using the best practice when you cannot do it any other way, not for this situation. This is the method I very strongly recommend.

First you need to set your umask to 002, this is so a group can share with itself. I usually create a file like /etc/profile.d/firm.sh , and then add a test command with the umask.

Next you need to set the directories to their respective groups,

chgrp -R FirmA /srv/svn/FirmA chgrp -R FirmB /srv/svn/FirmB chgrp -R FirmC /srv/svn/FirmC 

Finally you need to set the SGID bit properly, so the group will always stay to the one you set. This will prevent a written file from being set to the writer’s GID.

find /srv/svn/FirmA -type d -print0 | xargs -0 chmod 2775 find /srv/svn/FirmB -type d -print0 | xargs -0 chmod 2775 find /srv/svn/FirmC -type d -print0 | xargs -0 chmod 2775 find /srv/svn/FirmA -type f -print0 | xargs -0 chmod 664 find /srv/svn/FirmB -type f -print0 | xargs -0 chmod 664 find /srv/svn/FirmC -type f -print0 | xargs -0 chmod 664 

Now finally if you want to prevent the directories from being accessed by other users.

chmod 2770 /srv/svn/FirmA chmod 2770 /srv/svn/FirmB chmod 2770 /srv/svn/FirmC 

Источник

Оцените статью
Adblock
detector