Groups in UNIX
=============================================================================
Overview: Groups are a way of sharing files and privileges for a set of
users, who are usually working on a common project. This tutorial
describes the concepts behind groups, the commands and privileges.
=============================================================================
Section Topic
------- -----
Groups of users in UNIX
Group protections on files and directories
Example
Groups of users in UNIX
-----------------------
Have you ever wondered about that middle group of protection bits, the ones
supposedly devoted to "group"? What does that mean? How can you make use of
it?
Programmers often work in teams, and with ever larger and more complex
programs, software development is not likely to abandon teamwork anytime soon.
Actually, teamwork has always been a part of Computer Science, despite the
cowboy-style myth of the lone hacker, creating some marvelous program at 3:00
AM at the MIT AI lab. UNIX saw the need for teams early on, so groups were
created and mechanisms set in place for users to share files and run programs
in common.
If users want to form a group, perhaps to work on a common project, they
must appeal to the system administrator (root), who then makes a new group,
assigning it a name. Groups are formed by creating a record in the file
/etc/netfiles/group
which is a publicly readable file. Each group gets a name and a number, called
the gid (group identification number). There is a list of usernames who belong
to this group.
A particular user may be in many different groups at the same time.
A user cannot create a group on his/her own, however. Only root can create
groups. Likewise, a user cannot modify the group file in order to insert
his/her username into a group because that would be a breach of security. Users
in a group trust each other (to some extent) and are confident that no new users
can be added to the group, unless proper channels are followed.
Group Protections on Files
--------------------------
Every file and every directory has both an owner, which is a username, and
a group. A generic group, called "stud", exists for most student files, while
"faculty" is used for most faculty files. Any number of files can belong to a
particular group, but any given file can only have one owner and one group at
any given time.
Ownership of a file cannot change, except when root runs a special command
to change it. However, the owner of a file can change the group to which the
file belongs, as well as the protections on the file. Usually, a group of files
is made public to a group and the group id of the files are set to that group.
But there are still three levels of protection, even for group files, so that
other members of a group can only read, or execute, or write a file. The owner
of a file still retains final control over the file.
To summarize, every file (and directory) still belongs to exactly one user,
who controls the privileges of that file. In addition, a file (or directory)
is associated with one group and the group privileges on that file apply to that
group. The group of a file or directory may be changed by its owner via the
chgrp command.
There is a command that allows you to quickly see what groups you or
another user belongs to. It is "groups" and here are two examples of its use:
% groups
% groups meyer
This is a much handier way than searching for your name in the /etc/netfiles/
group file.
To discover the group of a file, use the -g option in conjunction with the
-l option on the "ls" command:
% ls -lg *
-rw------- 1 root dept 4581 Jul 2 09:07 report
-rw-r--r-- 1 root dept 816 Jul 2 08:46 main.menu
Ls prints out the owner and group names, not their numbers, as can be seen
above. Remember that UNIX really only uses numbers, not character strings, when
it comes to users and groups. But for the convenience of humans, UNIX prints
out the character string associated with the number.
Example
-------
An example will clarify the use of groups. Suppose that two teams of
students in CSC 251 have formed to work on projects. One is called "jets" and
the other is "sharks" (named after the two gangs in "West Side Story".) Here
are the entries from /etc/netfiles/group which defines these groups:
jets:*:832:jim,mark,sue,karen
sharks:*:833:tony,angelo,hermana,carla
These students or their teacher have petitioned the superuser (root) to form
these groups, and root added these lines to /etc/netfiles/group. No other user
can join the group without root explicitly editing that file, so these groups
are secure.
The jets have a file in sue's home directory called "messages" where they
write important messages to one another and where they try to coordinate their
schedules so as to meet. Since all must read and write this file that sue owns,
she has done the following:
% chmod g+rw messages
which gives read and write privileges to her group. However, she is also in
the stud group and when she created messages, it is also in the stud group.
She checks this out by doing:
% ls -lg messages
and sees
-rw-rw---- 1 sue stud 0 Feb 4 08:00 messages
So her first job is to change the group using the "chgrp" (change group)
command:
% chgrp jets messages
Now when she does "ls -lg" she sees
-rw-rw---- 1 sue jets 0 Feb 4 08:00 messages
(Remember there is no way that sue or anybody other than root can change the
owner of a file.) Also notice that her chmod command worked and the group
permissions are rw, while the other (world) privileges are nil:
- rw- rw- ---
Ignore owner group other
There is no need for this file to have the "x" privilege since it is not an
executable or a shell script.
However, when jim tries to get to messages he gets an error message:
% vi /mnt/stud/sue/messages
Directory unreadable
and he freaks out, telling sue she didn't make the file public. However, sue
is sure her chmod command was correct, so she digs in her UNIX books until she
finds, in an obscure little place, that her directory must be "open", too.
That is, if /mnt/stud/sue is closed to her group and the public then no one
can access her files, not even if they are public. So she does the following
while in her home directory:
% pwd
/mnt/stud/sue
% chmod g+rx .
This tells UNIX to make her home directory readable and executable to the group
it belongs in. Now, even though the group of her directory is "stud", not
"jets", the jets can all get in because they are all students and in the "stud"
group, also.
In UNIX, directories must have the "x" protection turned on if you are
to let people access the files in them. Executable means something different
for directories; it should be "searchable" instead of "executable", since no
one would execute a directory as a program or shell script! So UNIX interprets
the executable privilege as being able to read the directory while unraveling
a pathname. Directories should also be readable (although this is not strictly
necessary). However, if a directory is writable, then people can insert or
remove files from that directory! Thus, only trusted persons in your group,
not the whole world, should have write privileges on your directory! They
could remove files, even if those files are not themselves public!
Now sue is cooking, and the jets can all get at "messages", both reading
and writing it.
The jets decided that karen should have the actual program directory where
their source code will go. So she sets up a directory that the jets can write
in:
% pwd
/mnt/stud/karen
% chmod g+rx .
% mkdir ourprog
% chgrp jets ourprog
% chmod g+rwx ourprog
Now any jet can cd into karen's directory and work on any files in that
directory. However, he/she must make sure to give rwx privileges to the jets
and change the group of any file, otherwise another jet will not be able to
read it. Here's mark going into the directory and starting a new file
called main.c:
% cd /mnt/stud/karen/ourgroup
% vi main.c
% chgrp jets main.c
% chmod g+rw main.c