Managing Groups
Groups can make managing users a lot easier. Instead of having to assign individual permissions to every user, you can use groups to grant or revoke permissions to a large number of users quickly and easily. Setting group permissions allows you to set up work spaces for collaborative working and also to control what devices can be used, such as external drives or DVD writers. This approach also represents a secure method of limiting access to system resources to only those users who need them. As an example, the sysadmin could put the users andrew, paul, scott, derek, mark, and vanessa in a new group named unleashed. Those users could each create files intended for their group work and chgrp those files to unleashed.
Now, everyone in the unleashed group — but no one else except root — can work with those files. The sysadmin would probably create a directory owned by that group so its members could have an easily accessed place to store those files. The sysadmin could also add other users such as bernice and ildiko to the group and remove existing users when their part of the work is done. The sysadmin could make the user andrew the group administrator so that andrew could decide how group membership should be changed. You could also put restrictions on the DVD writer so that only andrew could burn DVDs, thus protecting sensitive material from falling into the wrong hands.
Different UNIX operating systems implement the group concept in various ways. Fedora uses a scheme called /etc/group file. Here is a partial list of a sample /etc/group file:
# cat /etc/group
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
dovecot:x:97:
...
postdrop:x:90:
postfix:x:89:
andrew:x:500:
In this example, there are a number of groups, mostly for services (mail, ssh, and so on) and devices (CD-ROM, disk, and so on). As previously mentioned, the system services groups enable those services to have ownership and control of their files. For example, adding postfix to the mail group, as shown previously, enables the postfix application to access mail's files in the manner that mail would decide for group access to its file. Adding a regular user to a device's group permits the regular user to use the device with permissions granted by the group owner. Adding user andrew to the group cdrom, for example, would allow andrew to use the CD drive. You learn how to add and remove users from groups in the next section.
Group Management Tools
Fedora provides several command-line tools for managing groups as well as graphical tools. Many experienced sysadmins prefer the command-line tools because they are quick and easy to use and they can be included in scripts if the sysadmin desires to script a repetitive task. Here are the most commonly used group management command-line tools:
> groupadd — This command creates and adds a new group.
> groupdel — This command removes an existing group.
> groupmod — This command creates a group name or GIDs, but doesn't add or delete members from a group.
> gpasswd — This command creates a group password. Every group can have a group password and an administrator. Use the -A argument to assign a user as group administrator.
> useradd -G — The -G argument adds a user to a group during the initial user creation. (More arguments are used to create a user.)
> usermod -G — This command enables you to add a user to a group as long as the user is not logged in at the time.
> grpck — A command for checking the /etc/group file for typos.
As an example, imagine that there is a DVD-RW device (/dev/scd0) computer to which the sysadmin wants a regular user named vanessa to have access. To grant vanessa that access, he would use these steps:
1. Add a new group with the groupadd command:
# groupadd dvdrw
2. Change the group ownership of the device to the new group with the chgrp command:
# chgrp dvdrw /dev/scd0
3. Add the approved user to the group with the usermod command:
# usermod -G dvdrw vanessa
4. Make user vanessa the group administrator with the gpasswd command so that she can add new users to the group:
# gpasswd -A vanessa
Now, the user vanessa has permission to use the DVD-RW drive, as would anyone else added to the group by the super user or vanessa because she is now also the group administrator and can add users to the group.
The sysadmin can also use the graphical interface that Fedora provides, as shown in Figure 10.2. It is accessed as the Users and Groups item from the System Settings menu item.
FIGURE 10.2 Just check the box to add a user to a group.
You will note that the full set of group commands and options are not available from the graphical interface, limiting the usefulness of the GUI to a subset of the most frequently used commands. You learn more about using the Fedora User Manager GUI in the next section.
Managing Users
