 |  |
49.6. Groups and Group Ownership
Group membership is an important part of Unix security. All users are members of one or more groups, as determined by their entries in /etc/passwd and the /etc/group files.
To find the GID number of your primary group, grep your entry in /etc/passwd:
> grep shelleyp /etc/passwd shelleyp:*:1000:1000:Shelley Powers:/usr/home/shelleyp:/bin/tcsh</screen>
The fourth field (the second number) is your primary group ID. Look up this number in the /etc/group file:
> grep 1000 /etc/group > shelleyp:*:1000:
On my FreeBSD system, my primary group is a group of which I'm the only member, shelleyp. Therefore, when I log in, my group ID is set to 1000.
To see what other groups you belong to, use the groups command if your Unix version has it. If not, you can get groups from the Free Software Directory at http://www.gnu.org/directory/index.html. Otherwise, look for your name in /etc/group:
> grep shelleyp /etc/group wheel:*:0:root,shelleyp webadmin:*:900:shelleyp,burningbird ftpadmin:*:901:shelleyp,burningbird mailadmin:*:903:shelleyp,burningbird sysadmin:*:905:shelleyp,burningbird pkgadmin:*:906:shelleyp,burningbird shelleyp:*:1000:
In the output, you can see that I'm a member of several groups, including wheel, webadmin, and so on. These are my secondary groups. The output also shows that the user "burningbird" is also a member of several of the same groups as myself.
On BSD-derived Unix systems (OpenBSD, FreeBSD, Darwin, and so on), you're always a member of all your groups. This means that I can access files that are owned by webadmin, wheel, and so on, without doing anything in particular. Under System V Unix, you can only be "in" one group at a time, even though you can be a member of several.
Within System V and Linux, if you need to access files that are owned by another group, use the newgrp command to change your primary group:
> newgrp groupname
The newgrp command starts a subshell. When you're done, type exit to leave the subshell. newgrp can be important for another reason: your primary group may own any new files you create. So newgrp is useful on any system where you want to set your group (for creating files, for example, when you aren't using a directory that sets its own group). If you can't use newgrp, the chgrp command will change a file's group owner.
The ls -l command shows a file's owner (and, in many versions, the filefs group too; if yours doesn't, add the -g option). The GNU ls -nl option shows a file's numeric UID and GID instead of the username and group name:
$ ls -l total 38 -rw-r--r-- 1 root weblog.burningbi 33922 May 23 13:52 access_log -rw-r----- 1 shelleyp weblog.burningbi 3995 May 12 11:08 analog.cfg -rw-r--r-- 1 root weblog.burningbi 0 May 23 12:01 error_log $ ls -ln total 37 -rw-r--r-- 1 0 501 32890 May 23 13:50 access_log -rw-r----- 1 1000 501 3995 May 12 11:08 analog.cfg -rw-r--r-- 1 0 501 0 May 23 12:01 error_log
(System V-based Unixes even let you change to groups that you don't belong to. In this case, you have to give a group password. Group passwords are rarely used: usually the password field is filled with a *, which effectively says that there are no valid passwords for this group.)
On most systems, there are groups for major projects or departments, groups for system administration, and maybe one or two groups for visitors. BSD-based systems often have a wheel group; to become root, you must belong to wheel. Many systems make terminals writable only by the owner and a special group named tty; this prevents other users from sending characters to your terminal without using an approved setgid program like write.
--JP, SP
|  | |
| 49.5. Group Permissions in a Directory with the setgid Bit |  | 49.7. Add Users to a Group to Deny Permissions |
Copyright © 2003 O'Reilly & Associates. All rights reserved.