samlb@well.UUCP (Samuel B. Bassett) (12/13/87)
Semi-arcane question:
How do you assign a user to more than one group?
I've been appointed assistant sysadmin at work, and the subject of
group read/write permissions has come up, and the sysadmin just looks blank
when I ask how to enroll users in more than one group.
I know how to create groups -- add an entry for the group name,
password, group number, and a comma-delimited member list in /etc/group.
I know how to assign a given user to _one_ group -- put the group
number in the 4th column of his/her/its entry in /etc/passwd.
But if I want to have users be in _two_ or more groups (so they can read and write files in several different areas, I don't know how to do it.
Can anyone enlighten me?
--
Sam'l Bassett -- Semantic Engineering for fun & profit.
34 Oakland Ave., San Anselmo CA 94960; DDD: (415) 454-7282
UUCP: {hplabs,ptsfa,lll-crg}!well!samlb; Internet: samlb@well.uucp
Compuserve: 71735,1776; WU Easylink ESL 6284-3034; MCI SBassettgwyn@brl-smoke.ARPA (Doug Gwyn ) (12/14/87)
In article <4718@well.UUCP> samlb@well.UUCP (Samuel B. Bassett) writes: > How do you assign a user to more than one group? On recent BSD-based systems, users are always simultaneously "in" all the groups having them listed as a member in /etc/group. On other UNIX systems, a process (i.e. "user") has only one group identity at a time. Use the "newgrp" shell built-in to switch to another group.
angst%csilvax@hub.ucsb.edu (Dave Stein) (12/14/87)
In article <4718@well.UUCP>, samlb@well.UUCP (Samuel B. Bassett) writes... > How do you assign a user to more than one group? > [... stuff deleted ...] > I know how to create groups -- add an entry for the group name, >password, group number, and a comma-delimited member list in /etc/group. > I know how to assign a given user to _one_ group -- put the group >number in the 4th column of his/her/its entry in /etc/passwd. I don't believe this is sufficient to add a user to a group. I think you also have to add their login name to the group line in /etc/group. I think this field is superseded by the /etc/group file. > But if I want to have users be in _two_ or more groups (so they can > read and write files in several different areas, I don't know how to do it. I don't have root permission anymore, so I can't check out my answer, but I'm pretty sure it's correct. If not, please feel free to flame me (and, of course, correct me). To add a user to more than one group, you need only add the user name to each group line in /etc/group that you want the user to be in. Where I used to work, I was in the wheel group (group 0), in addition to about 5 other groups. To accomplish this, I simply edited /etc/group. Note that you must log out and log back in after you edit /etc/group, because groups are initialized during login. Here at our site, root is in almost every group. I'm sure it is similar at your site. Hope this helps! Dave Stein "Life's a clambake." ARPA: angst%csilvax@hub.ucsb.edu Disclaimer: college students don't UUCP: ...ucbvax!hub!csilvax!angst need no disclaimers!
sdejarne@polyslo.UUCP (Steve DeJarnett) (12/14/87)
In article <228@hub.ucsb.edu> angst%csilvax@hub.ucsb.edu (Dave Stein) writes: >In article <4718@well.UUCP>, samlb@well.UUCP (Samuel B. Bassett) writes... > >> How do you assign a user to more than one group? >> [... stuff deleted ...] >> I know how to create groups -- add an entry for the group name, >>password, group number, and a comma-delimited member list in /etc/group. > >> I know how to assign a given user to _one_ group -- put the group >>number in the 4th column of his/her/its entry in /etc/passwd. > >I don't believe this is sufficient to add a user to a group. I think you >also have to add their login name to the group line in /etc/group. I think >this field is superseded by the /etc/group file. This is not true. The group that you place in the 4th field (not column) is the user's default group. This is the group that they are in when they log in, and all files that they create will be of this group. You can add a user to more than one group by placing their name next to the corresponding group in /etc/group. On Berkeley systems, if you are in a group, you have that group's permissions always. On SysV, to obtain a group's priviledges (other than for your default group), you must type 'newgrp <groupname>'. If your login name appears in the /etc/group file on the line corresponding to the group you want to switch in to, it will take effect. Otherwise, you will be prompted for a password to obtain access to that group. We don't use passwords here for group access, but I suppose you could, in lieu of adding everyone to all of the groups that they want/need to be in. >> But if I want to have users be in _two_ or more groups (so they can >> read and write files in several different areas, I don't know how to do it. > >I don't have root permission anymore, so I can't check out my answer, but >I'm pretty sure it's correct. If not, please feel free to flame me (and, >of course, correct me). > >To add a user to more than one group, you need only add the user name to >each group line in /etc/group that you want the user to be in. Where I >used to work, I was in the wheel group (group 0), in addition to about 5 >other groups. To accomplish this, I simply edited /etc/group. Note that >you must log out and log back in after you edit /etc/group, because groups >are initialized during login. Yes, as I said above, this is correct. >Here at our site, root is in almost every group. I'm sure it is similar >at your site. I question this practice somewhat, seeing as root supersedes any group considerations anyway. It is somewhat redundant (or unnecessary) for root to be in several groups. System administrators may want their accounts to be in several groups, but you can make a case that this is a bad idea because of security considerations. It's really up to each site to decide what is best for them. Hopefully this will answer your questions. Good luck. ------------------------------------------------------------------------------- | Steve DeJarnett | ...!ihnp4!csun!polyslo!sdejarne | | Computer Systems Lab | ...!{csustan,csun,sdsu}!polyslo!sdejarne | | Cal Poly State Univ. | ...!ucbvax!voder!polyslo!sdejarne | | San Luis Obispo, CA 93407 | polyslo!sdejarne@trwind.TRW.COM | ------------------------------------------------------------------------------- #include <std_disclaimer.h>
fm06222@dlag1.UUCP (Bill Wallace) (12/15/87)
In article <4718@well.UUCP>, samlb@well.UUCP (Samuel B. Bassett) writes: > I know how to create groups -- add an entry for the group name, > password, group number, and a comma-delimited member list in /etc/group. Yes, this is the only way to assign a user to a group. > I know how to assign a given user to _one_ group -- put the group > number in the 4th column of his/her/its entry in /etc/passwd. This doesn't actually assign the user to a group. It is used when the user creates a file. The group associated with that file will be the one in the /etc/passwd entry. (Even if there is no corresponding entry in /etc/group.) This group doesn't *have* to include the user! (Though it almost always does.) > But if I want to have users be in _two_ or more groups (so they can read > and write files in several different areas, I don't know how to do it. Adding a user's login name to the /etc/group entries will probably do what you want. The only problem will be if the person needs to create files with more than one type of group ownership. They can use chgrp or the user.group form of chown to make the change - unless you've locked the user out of these commands. It might be preferrable if they create the file in their $HOME and cp it into a directory with the proper group ownership. This has the added benefit of keeping a group's files in one place, away from the clutter of the user's $HOME. -- * Bill Wallace {seismo!gould,cbosgd!osu-cis}!dsacg1!dlag1!bwallace * * Administrative Support Center (DASC-ZWC) phone (202) 274-9336 * * Cameron Station Room 4C652 Autovon 284-9336 * * Alexandria, VA 22304 *
mbr@aoa.UUCP (Mark Rosenthal) (12/15/87)
In article <4718@well.UUCP> samlb@well.UUCP (Samuel B. Bassett) writes: > How do you assign a user to more than one group? Depends on the version of Unix you're working with. I believe the AT&T family still does things the way they were done way back in version 7 (the (approximate) common ancestor of the AT&T and Berkeley Unixes). In these versions, logging in gives you a user id (UID) and a group id (GID). The GID comes from the group entry in the /etc/passwd file. This is your login group (i.e. the GID assigned to you when you log in). If you don't own a file, but your GID matches that of the file, your access is controlled by the group permissions on the file. The /etc/group file lists all the groups, and for each group it lists the accounts belonging to that group. You may change to another group with the 'newgrp' command. When you have done so, group file access will be governed by the group you specified as an argument to 'newgrp'. Thus, in version 7, System III, and System V.? you are logged into one group at a time. The group in the /etc/passwd file is used by the 'login' program. The /etc/group file is used by the 'newgrp' program. Berkeley had a better idea. They modified the kernel to keep a list of groups rather than a single group. Thus, when you log in they build a list consisting of the GID found in the /etc/passwd file and all the groups you belong to specified in the /etc/group file. If you don't own a file, but the GID of the file appears in your group list, your access is controlled by the group permissions on the file. You will see this scheme in the 4.?bsd versions of Unix. With this arrangement, there is no longer any need for a 'newgrp' command, so it was removed. Also, note that the group in /etc/passwd is not any more special than any of the groups you belong to by virtue of being mentioned in /etc/group. In 4.?bsd, there is really no longer any reason to have any group information in /etc/passwd. I assume they kept the field because it would have broken too many programs and shell scripts if they changed the format of /etc/passwd. And as long as you've got the field there, you might as well make it part of the group list along with the info in /etc/group. -- Mark of the Valley of Roses ...!{harvard,ima}!bbn!aoa!mbr
andrew@frip.gwd.tek.com (Andrew Klossner) (12/15/87)
[]
"How do you assign a user to more than one group?"
You can only do so under a Berkeley-derived Unix.
-=- Andrew Klossner (decvax!tektronix!tekecs!andrew) [UUCP]
(andrew%tekecs.tek.com@relay.cs.net) [ARPA]ntm1569@dsacg3.UUCP (Jeff Roth) (12/15/87)
In article <299@dlag1.UUCP>, fm06222@dlag1.UUCP (Bill Wallace) writes re: group field in passwd entry: > This doesn't actually assign the user to a group. It is used when > the user creates a file. The group associated with that file will be the > one in the /etc/passwd entry.... Under BSD (at least) the file gets the group id of the _directory_ in which it is created. -- Jeff Roth {uunet!gould,cbosgd!osu-cis}!dsacg1!jroth Defense Logistics Agency Systems Automation Center | 614-238-9421 DSAC-TMP, P.O. Box 1605, Columbus, OH 43216 | Autovon 850- All views expressed are mine, not necessarily anyone else's
jbuck@epimass.EPI.COM (Joe Buck) (12/17/87)
In article <9519@tekecs.TEK.COM> andrew@frip.gwd.tek.com (Andrew Klossner) writes: > "How do you assign a user to more than one group?" > >You can only do so under a Berkeley-derived Unix. Well, sort of. Under 4.2bsd and its descendants (4.3, Ultrix, Sun, etc), you can be in multiple groups at once; files are owned by a single group, which is by default the same as that of the directory the file is created in, though the owner can change the group of a file to any group the owner is a member of. Under all other Unixes, you can be authorized to be in multiple groups (in the /etc/group file) but at any given time you are in only one group. However, you can use "newgrp" to "log in" to a different group. -- - Joe Buck {uunet,ucbvax,sun,decwrl,<smart-site>}!epimass.epi.com!jbuck Old internet mailers: jbuck%epimass.epi.com@uunet.uu.net
brett@wjvax.UUCP (Brett Galloway) (12/17/87)
In article <578@aoa.UUCP> mbr@aoa.UUCP (Mark Rosenthal) writes: >In article <4718@well.UUCP> samlb@well.UUCP (Samuel B. Bassett) writes: >> How do you assign a user to more than one group? >Berkeley had a better idea. They modified the kernel to keep a list >of groups rather than a single group. Thus, when you log in they build >a list consisting of the GID found in the /etc/passwd file and all the >groups you belong to specified in the /etc/group file. If you don't own a >file, but the GID of the file appears in your group list, your access is >controlled by the group permissions on the file. You will see this scheme >in the 4.?bsd versions of Unix. With this arrangement, there is no longer >any need for a 'newgrp' command, so it was removed. Also, note that the >group in /etc/passwd is not any more special than any of the groups you belong >to by virtue of being mentioned in /etc/group. In 4.?bsd, there is really no >longer any reason to have any group information in /etc/passwd. I assume they >kept the field because it would have broken too many programs and shell scripts >if they changed the format of /etc/passwd. And as long as you've got the field >there, you might as well make it part of the group list along with the info >in /etc/group. I agree that it is kind of stupid to have group assignments in two different files. However, I always thought it would be more useful to specify the group list in /etc/passwd (so all the user-dependent stuff is in one place), and then permit some other use for the information in /etc/group. One candidate would be group expansions, i.e. /etc/passwd: brett::765:0,81:Brett Galloway:/u1/brett:/bin/csh /etc/group: wheel:*:0:staff staff:*:10 user:*:80 aduser:*:81:user synuser:*:82 In this example, I would be in groups 0 (wheel) and 81 (aduser), but group 0 would also provide access to group 10, and group 81 would provide access to group 80, so I would be in four groups total (0,10,80,81). The processing of /etc/group would be straight-forward enough (just change initgroups(3X) appropriately). This would centralize all of the user-dependent stuff in /etc/passwd. Allowing group expansion in /etc/group would also simplify the handling of multiple groups; often, one has a hierarchy of groups which could be expressed statically in the /etc/group file. In these cases, multiple groups could be assigned easily without embedding any of that knowledge in the /etc/passwd file. The above example says in the /etc/passwd file that I am a wheel user and I am in user group 'aduser`. The /etc/group file then says that wheel users are also in group staff and aduser users are also in group user. -- ------------- Brett D. Galloway {ac6,calma,cerebus,isi,isieng,pyramid,tymix}!wjvax!brett
samlb@well.UUCP (Samuel B. Bassett) (12/17/87)
Many thanks to all who answered -- I have learned a great deal.
The system I'm working on is REGULUS, a System III-derived (with
some Sys6 & 7 "compatibility features"), and it is an AT&T-style system;
i.e., you need to use 'newgrp' to take advantage of the group feature.
I personally think that the BSD way is better, since it gives
more functions, easier, but *tradition* seems to run the other way. **SIGH**
--
Sam'l Bassett -- Semantic Engineering for fun & profit.
34 Oakland Ave., San Anselmo CA 94960; DDD: (415) 454-7282
UUCP: {hplabs,ptsfa,lll-crg}!well!samlb; Internet: samlb@well.uucp
Compuserve: 71735,1776; WU Easylink ESL 6284-3034; MCI SBassettallbery@ncoast.UUCP (Brandon Allbery) (12/19/87)
As quoted from <4718@well.UUCP> by samlb@well.UUCP (Samuel B. Bassett): +--------------- | How do you assign a user to more than one group? | I've been appointed assistant sysadmin at work, and the subject of | group read/write permissions has come up, and the sysadmin just looks blank | when I ask how to enroll users in more than one group. +--------------- You don't name the OS type. System V doesn't permit users to be in multiple groups; that is (for now; hey, AT&T, snap it up! ;-) the exclusive province of Berkeley Un*xes. If you've got 4.xBSD, watch for other responses.... -- Brandon S. Allbery necntc!ncoast!allbery@harvard.harvard.edu {hoptoad,harvard!necntc,cbosgd,sun!mandrill!hal,uunet!hnsurg3}!ncoast!allbery Moderator of comp.sources.misc
kathy@bakerst.UUCP (Kathy Vincent) (12/23/87)
In article <6866@ncoast.UUCP> allbery@ncoast.UUCP (Brandon Allbery) writes: }As quoted from <4718@well.UUCP> by samlb@well.UUCP (Samuel B. Bassett): }+--------------- }| How do you assign a user to more than one group? }| I've been appointed assistant sysadmin at work, and the subject of }| group read/write permissions has come up, and the sysadmin just looks blank }| when I ask how to enroll users in more than one group. }+--------------- } }You don't name the OS type. System V doesn't permit users to be in multiple }groups; that is (for now; hey, AT&T, snap it up! ;-) the exclusive province }of Berkeley Un*xes. If you've got 4.xBSD, watch for other responses.... I thought this had already been covered, but. System V *does* permit users to be in multiple groups - but users must explicitly switch from group to group using the newgrp command. I used to have training courses set up this way - so that the instructors could be members of both the students' groups and their own private group. Each student login and each instructor login was assigned to the student group in the /etc/group file, and each instructor login was assigned to the instructors group in /etc/group. Whatever files you created were given the group ID of whatever group you were "in" at the time you created those files. This approach has also been used for people who work on different projects, each of which needs to be kept separate from everything else for one reason or another. Each project is assigned to a group, and users switch group to switch to working on a new project. Kathy Vincent ------> {ihnp4|mtune|codas|ptsfa}!bakerst!kathy ------> {ihnp4|mtune|burl}!wrcola!kathy ------> { favourite AT&T gateway }!wruxe!unix
mitch@stride1.UUCP (Thomas P. Mitchell) (01/21/88)
In article <4718@well.UUCP> samlb@well.UUCP (Samuel B. Bassett) writes: >Semi-arcane question: > > How do you assign a user to more than one group? Hello Sam, You (root) must edit the file "/etc/group" to have the user identified as a member of groups other than the primary one in the passwd file. -------- example -------- root:*:0:root,mitch sys:*:3:root,bin,sys,adm,mitch games:*:10:root,bruce staff:*:100:sysman,mitch -------------------------- Then depending on the operating system BSD, SysV, UniStride, AIX etc. (trademarked products) the user may need to use the 'newgrp' command (Sys V) to move from the original group to another. On systems with a BSD flavor it is possible to reside in a number of groups at a time. In the SysV case 'newgrp' causes in effect a new login. This flushes any environment or history that may exist. Our UniStride while a SysV based OS supports multiple groups. One thing to double check on your system is the group assignment rules when a file is created. Thomas P. Mitchell (mitch@stride1.Stride.COM) Phone: (702) 322-6868 TWX: 910-395-6073 MicroSage Computer Systems Inc. a Division of Stride Micro. Opinions expressed are probably mine.