Assigning group rights (was: Re: Root isn't God

[Leonard den Ottolander]

Hello Guus,

> I still wonder though how the group-thing
> works. If someone is in group bigby, say user1. Then she logs on to userid
> user1 and gets the permissions for user1. Are all group permissions assigned
> automatically, or do you have to change group in some way?

 Just a few remarks on the issue:

 On Red Hat users are automatically assigned their own group. On other 
distros this behaviour might be different, ie all users are put in group 
"users" by default.

 File permissions are evaluated "top down" (from left to right). That means 
that a file with permissions rwx---r-x (705) and ownership guus.guus can be 
read, written and executed by guus, but not by members of group guus. Otoh 
any user that is not a member of group guus can read and execute that file.

 Although this might not seem very useful at first it can be when fe a 
system user needs to be able to cd to a users home directory, but normal 
users should not. In that case you make all shell users member of group 
users and chgrp all home directories to users and set file permissions on 
the home directories to 701. The system user (any user not member of users) 
can cd into the home directories, but shell users can not. A specific 
example of this could be apache needing to access the users public_html 
directories.

 Note that when changing group memberships of a user with usermod you also 
need to specify existing groups a user is already a member of, or the user 
will loose membership of those groups. I use the following scripts to add 
to or delete a user from a group:

# cat adduser2group
#!/bin/sh

if [ "$1" == "" ] || [ "$2" == "" ]; then
  echo "Usage: $0 <username> <groupname>"
  exit 1
fi

user=$1
group=$2
allgroups=${group}

if [ "$( grep ${user}: /etc/passwd )" == "" ]; then
  echo "User ${user} doesn't exist"
  echo "Aborting"
  exit 1
fi

if [ "$( grep ${group}: /etc/group )" == "" ]; then
  echo "Group ${group} doesn't exist"
  echo "Aborting"
  exit 1
fi

for gr in $( grep ${user} /etc/group | grep -v ^${user} | cut -f 1 -d : )
do
  if [ "$gr" == "$group" ]; then
    echo "User is already member of group ${gr}"
    echo "Aborting"
    exit 1
  fi
  allgroups="${allgroups},${gr}"
done
echo "Adding user \"${user}\" to group \"${group}\""
echo "User \"${user}\" is now member of the following groups:"
echo " ${allgroups}"
usermod -G ${allgroups} ${user}
--- end of script ---

# cat deleteuserfromgroup
#!/bin/sh

if [ "$1" == "" ] || [ "$2" == "" ]; then
  echo "Usage: $0 <username> <groupname>"
  exit 1
fi

user=$1
group=$2
allgroups=""

if [ "$( grep ${user}: /etc/passwd )" == "" ]; then
  echo "User ${user} doesn't exist"
  echo "Aborting"
  exit 1
fi

if [ "$( grep ${group}: /etc/group )" == "" ]; then
  echo "Group ${group} doesn't exist"
  echo "Aborting"
  exit 1
fi

if [ "$( grep ${group}: /etc/group | grep ${user} )" == "" ]; then
  echo "User \"${user}\" is no member of group \"${group}\""
  echo "Aborting"
  exit 1
fi

# This is Red Hat specific
if [ "${user}" == "${group}" ]; then
  echo "Cannot delete user from group with same name"
  echo "This requires the deletion of the whole group"
  echo "Aborting"
  exit 1
fi

for gr in $( grep ${user} /etc/group | grep -v ^${user} | cut -f 1 -d : )
do
  if [ "$gr" != "$group" ]; then
    allgroups="${gr},${allgroups}"
  fi
done

allgroups=$( echo ${allgroups} | rev | cut -b 2- | rev )
echo "Deleting user \"${user}\" from group \"${group}\""
echo "User \"${user}\" is now member of the following groups:"
echo " ${allgroups}"
usermod -G ${allgroups} ${user}
--- end of script ---

Bye,
Leonard.

--
mount -t life -o ro /dev/dna /genetic/research