Assigning group rights (was: Re: Root isn't God
Leonard den Ottolander
leonardjo at hetnet.nl
Sun Dec 21 12:23:48 UTC 2003
Hello Guus,
> I still wonder though how the group-thing
> works. If someone is in group bigby, say user1. Then she logs on to userid
> user1 and gets the permissions for user1. Are all group permissions assigned
> automatically, or do you have to change group in some way?
Just a few remarks on the issue:
On Red Hat users are automatically assigned their own group. On other
distros this behaviour might be different, ie all users are put in group
"users" by default.
File permissions are evaluated "top down" (from left to right). That means
that a file with permissions rwx---r-x (705) and ownership guus.guus can be
read, written and executed by guus, but not by members of group guus. Otoh
any user that is not a member of group guus can read and execute that file.
Although this might not seem very useful at first it can be when fe a
system user needs to be able to cd to a users home directory, but normal
users should not. In that case you make all shell users member of group
users and chgrp all home directories to users and set file permissions on
the home directories to 701. The system user (any user not member of users)
can cd into the home directories, but shell users can not. A specific
example of this could be apache needing to access the users public_html
directories.
Note that when changing group memberships of a user with usermod you also
need to specify existing groups a user is already a member of, or the user
will loose membership of those groups. I use the following scripts to add
to or delete a user from a group:
# cat adduser2group
#!/bin/sh
if [ "$1" == "" ] || [ "$2" == "" ]; then
echo "Usage: $0 <username> <groupname>"
exit 1
fi
user=$1
group=$2
allgroups=${group}
if [ "$( grep ${user}: /etc/passwd )" == "" ]; then
echo "User ${user} doesn't exist"
echo "Aborting"
exit 1
fi
if [ "$( grep ${group}: /etc/group )" == "" ]; then
echo "Group ${group} doesn't exist"
echo "Aborting"
exit 1
fi
for gr in $( grep ${user} /etc/group | grep -v ^${user} | cut -f 1 -d : )
do
if [ "$gr" == "$group" ]; then
echo "User is already member of group ${gr}"
echo "Aborting"
exit 1
fi
allgroups="${allgroups},${gr}"
done
echo "Adding user \"${user}\" to group \"${group}\""
echo "User \"${user}\" is now member of the following groups:"
echo " ${allgroups}"
usermod -G ${allgroups} ${user}
--- end of script ---
# cat deleteuserfromgroup
#!/bin/sh
if [ "$1" == "" ] || [ "$2" == "" ]; then
echo "Usage: $0 <username> <groupname>"
exit 1
fi
user=$1
group=$2
allgroups=""
if [ "$( grep ${user}: /etc/passwd )" == "" ]; then
echo "User ${user} doesn't exist"
echo "Aborting"
exit 1
fi
if [ "$( grep ${group}: /etc/group )" == "" ]; then
echo "Group ${group} doesn't exist"
echo "Aborting"
exit 1
fi
if [ "$( grep ${group}: /etc/group | grep ${user} )" == "" ]; then
echo "User \"${user}\" is no member of group \"${group}\""
echo "Aborting"
exit 1
fi
# This is Red Hat specific
if [ "${user}" == "${group}" ]; then
echo "Cannot delete user from group with same name"
echo "This requires the deletion of the whole group"
echo "Aborting"
exit 1
fi
for gr in $( grep ${user} /etc/group | grep -v ^${user} | cut -f 1 -d : )
do
if [ "$gr" != "$group" ]; then
allgroups="${gr},${allgroups}"
fi
done
allgroups=$( echo ${allgroups} | rev | cut -b 2- | rev )
echo "Deleting user \"${user}\" from group \"${group}\""
echo "User \"${user}\" is now member of the following groups:"
echo " ${allgroups}"
usermod -G ${allgroups} ${user}
--- end of script ---
Bye,
Leonard.
--
mount -t life -o ro /dev/dna /genetic/research
More information about the fedora-list
mailing list