samlb@well.UUCP (Samuel B. Bassett) (12/13/87)
Semi-arcane question: How do you assign a user to more than one group? I've been appointed assistant sysadmin at work, and the subject of group read/write permissions has come up, and the sysadmin just looks blank when I ask how to enroll users in more than one group. I know how to create groups -- add an entry for the group name, password, group number, and a comma-delimited member list in /etc/group. I know how to assign a given user to _one_ group -- put the group number in the 4th column of his/her/its entry in /etc/passwd. But if I want to have users be in _two_ or more groups (so they can read and write files in several different areas, I don't know how to do it. Can anyone enlighten me? -- Sam'l Bassett -- Semantic Engineering for fun & profit. 34 Oakland Ave., San Anselmo CA 94960; DDD: (415) 454-7282 UUCP: {hplabs,ptsfa,lll-crg}!well!samlb; Internet: samlb@well.uucp Compuserve: 71735,1776; WU Easylink ESL 6284-3034; MCI SBassett
angst%csilvax@hub.ucsb.edu (Dave Stein) (12/14/87)
In article <4718@well.UUCP>, samlb@well.UUCP (Samuel B. Bassett) writes... > How do you assign a user to more than one group? > [... stuff deleted ...] > I know how to create groups -- add an entry for the group name, >password, group number, and a comma-delimited member list in /etc/group. > I know how to assign a given user to _one_ group -- put the group >number in the 4th column of his/her/its entry in /etc/passwd. I don't believe this is sufficient to add a user to a group. I think you also have to add their login name to the group line in /etc/group. I think this field is superseded by the /etc/group file. > But if I want to have users be in _two_ or more groups (so they can > read and write files in several different areas, I don't know how to do it. I don't have root permission anymore, so I can't check out my answer, but I'm pretty sure it's correct. If not, please feel free to flame me (and, of course, correct me). To add a user to more than one group, you need only add the user name to each group line in /etc/group that you want the user to be in. Where I used to work, I was in the wheel group (group 0), in addition to about 5 other groups. To accomplish this, I simply edited /etc/group. Note that you must log out and log back in after you edit /etc/group, because groups are initialized during login. Here at our site, root is in almost every group. I'm sure it is similar at your site. Hope this helps! Dave Stein "Life's a clambake." ARPA: angst%csilvax@hub.ucsb.edu Disclaimer: college students don't UUCP: ...ucbvax!hub!csilvax!angst need no disclaimers!
sdejarne@polyslo.UUCP (Steve DeJarnett) (12/14/87)
In article <228@hub.ucsb.edu> angst%csilvax@hub.ucsb.edu (Dave Stein) writes: >In article <4718@well.UUCP>, samlb@well.UUCP (Samuel B. Bassett) writes... > >> How do you assign a user to more than one group? >> [... stuff deleted ...] >> I know how to create groups -- add an entry for the group name, >>password, group number, and a comma-delimited member list in /etc/group. > >> I know how to assign a given user to _one_ group -- put the group >>number in the 4th column of his/her/its entry in /etc/passwd. > >I don't believe this is sufficient to add a user to a group. I think you >also have to add their login name to the group line in /etc/group. I think >this field is superseded by the /etc/group file. This is not true. The group that you place in the 4th field (not column) is the user's default group. This is the group that they are in when they log in, and all files that they create will be of this group. You can add a user to more than one group by placing their name next to the corresponding group in /etc/group. On Berkeley systems, if you are in a group, you have that group's permissions always. On SysV, to obtain a group's priviledges (other than for your default group), you must type 'newgrp <groupname>'. If your login name appears in the /etc/group file on the line corresponding to the group you want to switch in to, it will take effect. Otherwise, you will be prompted for a password to obtain access to that group. We don't use passwords here for group access, but I suppose you could, in lieu of adding everyone to all of the groups that they want/need to be in. >> But if I want to have users be in _two_ or more groups (so they can >> read and write files in several different areas, I don't know how to do it. > >I don't have root permission anymore, so I can't check out my answer, but >I'm pretty sure it's correct. If not, please feel free to flame me (and, >of course, correct me). > >To add a user to more than one group, you need only add the user name to >each group line in /etc/group that you want the user to be in. Where I >used to work, I was in the wheel group (group 0), in addition to about 5 >other groups. To accomplish this, I simply edited /etc/group. Note that >you must log out and log back in after you edit /etc/group, because groups >are initialized during login. Yes, as I said above, this is correct. >Here at our site, root is in almost every group. I'm sure it is similar >at your site. I question this practice somewhat, seeing as root supersedes any group considerations anyway. It is somewhat redundant (or unnecessary) for root to be in several groups. System administrators may want their accounts to be in several groups, but you can make a case that this is a bad idea because of security considerations. It's really up to each site to decide what is best for them. Hopefully this will answer your questions. Good luck. ------------------------------------------------------------------------------- | Steve DeJarnett | ...!ihnp4!csun!polyslo!sdejarne | | Computer Systems Lab | ...!{csustan,csun,sdsu}!polyslo!sdejarne | | Cal Poly State Univ. | ...!ucbvax!voder!polyslo!sdejarne | | San Luis Obispo, CA 93407 | polyslo!sdejarne@trwind.TRW.COM | ------------------------------------------------------------------------------- #include <std_disclaimer.h>
rjd@occrsh.ATT.COM (12/15/87)
> > How do you assign a user to more than one group? > > [... stuff deleted ...] > > I know how to create groups -- add an entry for the group name, > >password, group number, and a comma-delimited member list in /etc/group. > > > I know how to assign a given user to _one_ group -- put the group > >number in the 4th column of his/her/its entry in /etc/passwd. > > I don't believe this is sufficient to add a user to a group. I think you > also have to add their login name to the group line in /etc/group. I think > this field is superseded by the /etc/group file. Wrong. The original poster is correct: All that you need to have in place in order to assign a user to ONE group is the number in the fourth field in the /etc/passwd file. It need not even be defined in the /etc/group file. If you want an alphanumeric string associated with it (such as for ls -l listings), you need to have it in the group file. It is common at some sites I have used that they use a user's department number as a group and not even define it in /etc/group, since the number will appear on ls -l listings in the absence of a defined alphanumeric string. > > But if I want to have users be in _two_ or more groups (so they can > > read and write files in several different areas, I don't know how to do it. > > I don't have root permission anymore, so I can't check out my answer, but > I'm pretty sure it's correct. If not, please feel free to flame me (and, > of course, correct me). > > To add a user to more than one group, you need only add the user name to > each group line in /etc/group that you want the user to be in. Where I Correct, yet he need not be in his login group, unless, I think, he wants to newgrp back to his login group?? > used to work, I was in the wheel group (group 0), in addition to about 5 > other groups. To accomplish this, I simply edited /etc/group. Note that > you must log out and log back in after you edit /etc/group, because groups > are initialized during login. I am not 100% sure but I don't think you need to log out. Maybe we are talking different flavors of unix here (I'm on AT&T System V), but the /etc/group file is only looked at during a command that is looking up the alphanumeric string (such as ls) or when you execute 'newgrp' to adopt the permissions of a group other than you logged in as (in which case your login in must appear in the fourth field of /etc/group). At no other time that I am aware of is the file even opened. > Here at our site, root is in almost every group. I'm sure it is similar > at your site. No, root is in no groups here. In fact, every group has its fourth field completely empty, yet 'newgrps' called by root always succeed (yet others always fail - I just checked both). Randy
fm06222@dlag1.UUCP (Bill Wallace) (12/15/87)
In article <4718@well.UUCP>, samlb@well.UUCP (Samuel B. Bassett) writes: > I know how to create groups -- add an entry for the group name, > password, group number, and a comma-delimited member list in /etc/group. Yes, this is the only way to assign a user to a group. > I know how to assign a given user to _one_ group -- put the group > number in the 4th column of his/her/its entry in /etc/passwd. This doesn't actually assign the user to a group. It is used when the user creates a file. The group associated with that file will be the one in the /etc/passwd entry. (Even if there is no corresponding entry in /etc/group.) This group doesn't *have* to include the user! (Though it almost always does.) > But if I want to have users be in _two_ or more groups (so they can read > and write files in several different areas, I don't know how to do it. Adding a user's login name to the /etc/group entries will probably do what you want. The only problem will be if the person needs to create files with more than one type of group ownership. They can use chgrp or the user.group form of chown to make the change - unless you've locked the user out of these commands. It might be preferrable if they create the file in their $HOME and cp it into a directory with the proper group ownership. This has the added benefit of keeping a group's files in one place, away from the clutter of the user's $HOME. -- * Bill Wallace {seismo!gould,cbosgd!osu-cis}!dsacg1!dlag1!bwallace * * Administrative Support Center (DASC-ZWC) phone (202) 274-9336 * * Cameron Station Room 4C652 Autovon 284-9336 * * Alexandria, VA 22304 *
mbr@aoa.UUCP (Mark Rosenthal) (12/15/87)
In article <4718@well.UUCP> samlb@well.UUCP (Samuel B. Bassett) writes: > How do you assign a user to more than one group? Depends on the version of Unix you're working with. I believe the AT&T family still does things the way they were done way back in version 7 (the (approximate) common ancestor of the AT&T and Berkeley Unixes). In these versions, logging in gives you a user id (UID) and a group id (GID). The GID comes from the group entry in the /etc/passwd file. This is your login group (i.e. the GID assigned to you when you log in). If you don't own a file, but your GID matches that of the file, your access is controlled by the group permissions on the file. The /etc/group file lists all the groups, and for each group it lists the accounts belonging to that group. You may change to another group with the 'newgrp' command. When you have done so, group file access will be governed by the group you specified as an argument to 'newgrp'. Thus, in version 7, System III, and System V.? you are logged into one group at a time. The group in the /etc/passwd file is used by the 'login' program. The /etc/group file is used by the 'newgrp' program. Berkeley had a better idea. They modified the kernel to keep a list of groups rather than a single group. Thus, when you log in they build a list consisting of the GID found in the /etc/passwd file and all the groups you belong to specified in the /etc/group file. If you don't own a file, but the GID of the file appears in your group list, your access is controlled by the group permissions on the file. You will see this scheme in the 4.?bsd versions of Unix. With this arrangement, there is no longer any need for a 'newgrp' command, so it was removed. Also, note that the group in /etc/passwd is not any more special than any of the groups you belong to by virtue of being mentioned in /etc/group. In 4.?bsd, there is really no longer any reason to have any group information in /etc/passwd. I assume they kept the field because it would have broken too many programs and shell scripts if they changed the format of /etc/passwd. And as long as you've got the field there, you might as well make it part of the group list along with the info in /etc/group. -- Mark of the Valley of Roses ...!{harvard,ima}!bbn!aoa!mbr
andrew@frip.gwd.tek.com (Andrew Klossner) (12/15/87)
[] "How do you assign a user to more than one group?" You can only do so under a Berkeley-derived Unix. -=- Andrew Klossner (decvax!tektronix!tekecs!andrew) [UUCP] (andrew%tekecs.tek.com@relay.cs.net) [ARPA]
ntm1569@dsacg3.UUCP (Jeff Roth) (12/15/87)
In article <299@dlag1.UUCP>, fm06222@dlag1.UUCP (Bill Wallace) writes re: group field in passwd entry: > This doesn't actually assign the user to a group. It is used when > the user creates a file. The group associated with that file will be the > one in the /etc/passwd entry.... Under BSD (at least) the file gets the group id of the _directory_ in which it is created. -- Jeff Roth {uunet!gould,cbosgd!osu-cis}!dsacg1!jroth Defense Logistics Agency Systems Automation Center | 614-238-9421 DSAC-TMP, P.O. Box 1605, Columbus, OH 43216 | Autovon 850- All views expressed are mine, not necessarily anyone else's
preece%fang@gswd-vms.Gould.COM (Scott E. Preece) (12/16/87)
From: Mark Rosenthal <mbr@aoa.uucp> > Also, note that the group in /etc/passwd is not any more special than > any of the groups you belong to by virtue of being mentioned in > /etc/group. In 4.?bsd, there is really no longer any reason to have any > group information in /etc/passwd. ---------- Well, almost. The accounting system still records a gid with each accounting record and that is the one from the passwd file entry (unless it has been changed). So if you want to do accounting by groups, you still need something like newgrp to switch the user into the correct group when appropriate. -- scott preece gould/csd - urbana uucp: ihnp4!uiucdcs!ccvaxa!preece arpa: preece@Gould.com
jbuck@epimass.EPI.COM (Joe Buck) (12/17/87)
In article <9519@tekecs.TEK.COM> andrew@frip.gwd.tek.com (Andrew Klossner) writes: > "How do you assign a user to more than one group?" > >You can only do so under a Berkeley-derived Unix. Well, sort of. Under 4.2bsd and its descendants (4.3, Ultrix, Sun, etc), you can be in multiple groups at once; files are owned by a single group, which is by default the same as that of the directory the file is created in, though the owner can change the group of a file to any group the owner is a member of. Under all other Unixes, you can be authorized to be in multiple groups (in the /etc/group file) but at any given time you are in only one group. However, you can use "newgrp" to "log in" to a different group. -- - Joe Buck {uunet,ucbvax,sun,decwrl,<smart-site>}!epimass.epi.com!jbuck Old internet mailers: jbuck%epimass.epi.com@uunet.uu.net
brett@wjvax.UUCP (Brett Galloway) (12/17/87)
In article <578@aoa.UUCP> mbr@aoa.UUCP (Mark Rosenthal) writes: >In article <4718@well.UUCP> samlb@well.UUCP (Samuel B. Bassett) writes: >> How do you assign a user to more than one group? >Berkeley had a better idea. They modified the kernel to keep a list >of groups rather than a single group. Thus, when you log in they build >a list consisting of the GID found in the /etc/passwd file and all the >groups you belong to specified in the /etc/group file. If you don't own a >file, but the GID of the file appears in your group list, your access is >controlled by the group permissions on the file. You will see this scheme >in the 4.?bsd versions of Unix. With this arrangement, there is no longer >any need for a 'newgrp' command, so it was removed. Also, note that the >group in /etc/passwd is not any more special than any of the groups you belong >to by virtue of being mentioned in /etc/group. In 4.?bsd, there is really no >longer any reason to have any group information in /etc/passwd. I assume they >kept the field because it would have broken too many programs and shell scripts >if they changed the format of /etc/passwd. And as long as you've got the field >there, you might as well make it part of the group list along with the info >in /etc/group. I agree that it is kind of stupid to have group assignments in two different files. However, I always thought it would be more useful to specify the group list in /etc/passwd (so all the user-dependent stuff is in one place), and then permit some other use for the information in /etc/group. One candidate would be group expansions, i.e. /etc/passwd: brett::765:0,81:Brett Galloway:/u1/brett:/bin/csh /etc/group: wheel:*:0:staff staff:*:10 user:*:80 aduser:*:81:user synuser:*:82 In this example, I would be in groups 0 (wheel) and 81 (aduser), but group 0 would also provide access to group 10, and group 81 would provide access to group 80, so I would be in four groups total (0,10,80,81). The processing of /etc/group would be straight-forward enough (just change initgroups(3X) appropriately). This would centralize all of the user-dependent stuff in /etc/passwd. Allowing group expansion in /etc/group would also simplify the handling of multiple groups; often, one has a hierarchy of groups which could be expressed statically in the /etc/group file. In these cases, multiple groups could be assigned easily without embedding any of that knowledge in the /etc/passwd file. The above example says in the /etc/passwd file that I am a wheel user and I am in user group 'aduser`. The /etc/group file then says that wheel users are also in group staff and aduser users are also in group user. -- ------------- Brett D. Galloway {ac6,calma,cerebus,isi,isieng,pyramid,tymix}!wjvax!brett
bin@rhesus.primate.wisc.edu (Brain in Neutral) (12/18/87)
In article <10863@brl-adm.ARPA>, preece%fang@gswd-vms.Gould.COM (Scott E. Preece) writes: < < From: Mark Rosenthal <mbr@aoa.uucp> < > Also, note that the group in /etc/passwd is not any more special than < > any of the groups you belong to by virtue of being mentioned in < > /etc/group. In 4.?bsd, there is really no longer any reason to have any < > group information in /etc/passwd. < ---------- < Well, almost. The accounting system still records a gid with each < accounting record and that is the one from the passwd file entry (unless < it has been changed). So if you want to do accounting by groups, < you still need something like newgrp to switch the user into the correct < group when appropriate. Unfortunately, disk space accounting by groups still fails, at least if you're trying to account by who creates the file, as opposed to where they create it. Files get the group of their directory, not the group that the user is currently running as ... oh, well. Trying to get group id information from sa is problematic, too. At least as far as I can tell from the man page, sa only puts out user id, not group id. Am I wrong - is there some way to do it without writing a local hack? --- Paul DuBois UUCP: {allegra,ihnp4,seismo}!uwvax!rhesus!dubois | ARPA: dubois@rhesus.primate.wisc.edu --+-- | "Live by the sword, die by the sword." | s/the sword/promiscuity/g
allbery@ncoast.UUCP (Brandon Allbery) (12/19/87)
As quoted from <4718@well.UUCP> by samlb@well.UUCP (Samuel B. Bassett): +--------------- | How do you assign a user to more than one group? | I've been appointed assistant sysadmin at work, and the subject of | group read/write permissions has come up, and the sysadmin just looks blank | when I ask how to enroll users in more than one group. +--------------- You don't name the OS type. System V doesn't permit users to be in multiple groups; that is (for now; hey, AT&T, snap it up! ;-) the exclusive province of Berkeley Un*xes. If you've got 4.xBSD, watch for other responses.... -- Brandon S. Allbery necntc!ncoast!allbery@harvard.harvard.edu {hoptoad,harvard!necntc,cbosgd,sun!mandrill!hal,uunet!hnsurg3}!ncoast!allbery Moderator of comp.sources.misc
mitch@stride1.UUCP (Thomas P. Mitchell) (01/21/88)
In article <4718@well.UUCP> samlb@well.UUCP (Samuel B. Bassett) writes: >Semi-arcane question: > > How do you assign a user to more than one group? Hello Sam, You (root) must edit the file "/etc/group" to have the user identified as a member of groups other than the primary one in the passwd file. -------- example -------- root:*:0:root,mitch sys:*:3:root,bin,sys,adm,mitch games:*:10:root,bruce staff:*:100:sysman,mitch -------------------------- Then depending on the operating system BSD, SysV, UniStride, AIX etc. (trademarked products) the user may need to use the 'newgrp' command (Sys V) to move from the original group to another. On systems with a BSD flavor it is possible to reside in a number of groups at a time. In the SysV case 'newgrp' causes in effect a new login. This flushes any environment or history that may exist. Our UniStride while a SysV based OS supports multiple groups. One thing to double check on your system is the group assignment rules when a file is created. Thomas P. Mitchell (mitch@stride1.Stride.COM) Phone: (702) 322-6868 TWX: 910-395-6073 MicroSage Computer Systems Inc. a Division of Stride Micro. Opinions expressed are probably mine.