Group Privileges

[Was_Just19]

Where might I find information about what privileges being a member of the different Groups might grant to a user if made a member of any of those Groups?

Thanks.

[Was_Just19]

Unfortunately I have failed miserably to find the information I seek .....  most likely due to not using the correct terminology when searching.

To explain exactly what I seek here is an example .....  it concerns the fdisk command .....

The output from fdisk for any normal user is dependent upon the user's membership of different Groups.
In this case it is this

If the user is a member of the
disk group .......  then running fdisk -l  will show details of all internally attached HDDs

floppy group ..... then running fdisk -l will show details of all removable drives such as flash sticks.

This little bit of knowledge has helped me set up a user account with the ability to manage their own USB attached flash drives using fdisk (made them a member of the floppy group) but no ability to access the HDDs of the PC (not a member of the disk group).

What I am looking for is a list of the groups available in PCLOS and how they affect the members permissions on the PC.

In other words I want to know for instance what being a member of the USB group does ......

Anyone any ideas where to find the info?

Thanks.

[Was_Just19]

Another day of searching and I still have not found the information ......  I must be looking using the wrong search terms .....

This is driving me nuts!

[uncleV]

While masters are silent I'd like to ask if I understand the group thing correctly.

Uncle uncleV, the noob:
Goes to a device /dev/bus/usb/001 (or 002) and sees the properties of this file.
It's owned by root-user and root-group;
owner, group and other users can read and write to it.

The files (subdirectories) in the path to 001 are marked as executable for anybody, so anybody can open them.

Overal - anybody can read and write to USB 001.

But what if /dev/bus/usb/001 file had read/write permissions only for owner and group and not for other users?
So to grant uncleV read/write possibilities this user should be included to the group root.

Does this is a correct understanding?

Another question:
Can I determine what the group usb (usb:x:43:saned) controls if i find all the files owned by group usb?

[Neal ManBear]

Does this help?
http://www.yolinux.com/TUTORIALS/LinuxTutorialManagingGroups.html

[Was_Just19]

Does this help?
http://www.yolinux.com/TUTORIALS/LinuxTutorialManagingGroups.html

Not so far     Been there a couple of times but I cannot find the info I am looking for unfortunately.
It is relatively easy to manage existing groups it seems .....  really all I need from that is to either make a user a member of a specific group or not, and when a member, the user is granted the privileges of that group.

I have yet to find what the privileges for the predefined system groups are.
The user groups created with each user are a different type of group, and affect access to and permissions of the specific files etc created by the owner. So if user A allowed user B to be a member of the user A group, user B would then have access to user A files, dependent on the specific permissions assigned to those files. (that is how I understand it presently)

But if one looks at the 'standard' groups which are preset in the system, they grant privileges to their members, to do things non-members are not allowed to do.
Somewhere there must be a file or such that specifies what privileges are granted to the members of each group.

Either I am completely missing what I am reading, or I have not read what I need to read ....  either way I am still in the dark! 

@uncleV .......   at the present state of my understanding I will refrain from commenting on your questions .......  maybe with more information (if I find it) things will be clearer. All I can say is that user groups and system groups are different.
http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-users-groups-private-groups.html
That might help answer the questions   

/etc/password and /etc/groups have some information but not what I am looking for unfortunately.

Onwards and upwards I guess 

[Neal ManBear]

Did you check /usr/share/man/man1/groups.1.bz2? Maybe something in it could point out a direction for investigation.

[uncleV]

http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-users-groups-private-groups.html
That might help answer the questions   

Funny but before I posted my question I read exactly the same tutorial - a book of Redhat 7.3 that I have in my language here.

[Was_Just19]

Did you check /usr/share/man/man1/groups.1.bz2? Maybe something in it could point out a direction for investigation.

Yes I have been through the man page ......  nothing about the preset groups

***

I have to admit to being a bit puzzled to be honest.
Have none of the devs involved in creating releases needed this information so they could be sure that the default rights assigned to a new user are what they should be?

I now know for instance that membership of the 'floppy' group entails much more than access to a floppy drive. It also has an effect on the response the user gets from at least one command - fdisk. I only got this info by trial and error. The response to the same command is also affected by being a member of the 'disk' group.

That raises the question about other commands and other groups, --- what else is affected?

I have been scouring the net for an answer for many days, but cannot get anything on the subject.

It is beginning to look like some things are not as open as one might have thought!

Frustrating!

[Neal ManBear]

To be honest, I hadn't thought about this before. Someone knows about this, but who? And where is the documentation? Hmm...... I think the documentation for this is probably scattered all over, with a line here and another there. If it is all in one place, I haven't found it. That isn't to say that it doesn't exist, only that my searching hasn't turned it up.
 

[kjpetrie]

I think the answer is:

1. The groups do not grant any privileges,

2. Some applications might grant privileges to members of a group. That might be documented in the man page,

3. The file system grants privileges to members of a group through the GID ownership and permissions of a file. That information can be found from the properties of the file.

So if you have an application /usr/bin/someapp and you only want certain users to use it you could create a group called someappgroup and set its permissions to

Code: [Select]


-rwxr-x--- root someappgroup ... someapp
Then you would make the users you wanted to use it members of someappgroup.

[Was_Just19]

To be honest, I hadn't thought about this before. Someone knows about this, but who? And where is the documentation? Hmm...... I think the documentation for this is probably scattered all over, with a line here and another there. If it is all in one place, I haven't found it. That isn't to say that it doesn't exist, only that my searching hasn't turned it up.
 

Neither has my searching  .....  and anyone I asked could not point me to it either ........  I am beginning to wonder if this information is not readily available at all.

Yet it seems, at least on the surface, to be a necessary part of setting up a user account, and thus required at least by admins and distro devs.

No doubt the defaults are different for Mandy than other main distros, so it is Mandy docs I have been concentrating on ....  but still nothing .....

.......  maybe it is one of their little secrets!

[Joble]

I haven't been able to find anything useful either.   

[Was_Just19]

I think the answer is:

1. The groups do not grant any privileges,

2. Some applications might grant privileges to members of a group. That might be documented in the man page,

3. The file system grants privileges to members of a group through the GID ownership and permissions of a file. That information can be found from the properties of the file.

So if you have an application /usr/bin/someapp and you only want certain users to use it you could create a group called someappgroup and set its permissions to

Code: [Select]


-rwxr-x--- root someappgroup ... someapp
Then you would make the users you wanted to use it members of someappgroup.

That is a group giving a member access to an app/command which they otherwise would require special (maybe root) priviles for, if I understand correctly.

If there are no rights issues involved, how then do you explain the example I gave above ? ...... all users have access to fdisk ..... if you are a member of the 'disk' group fdisk -l will list the internal drive; if you are a member of the 'floppy' group it will list the USB removable drives; if you are a member of both it will list all of them; and if you are a member of neither it will list none.
It does not return a 'command not found' which would be expected if the user had no access to the command.
So all users have access, but depending on their membership of groups their rights to use it on certain devices are determined.

I conclude from that .....  membership of groups grants members rights based on the group settings ...  which is contrary to

1. The groups do not grant any privileges,

So now the question is, what other rights are affected by membership of the different groups?
Where is that information available.

[jaydot]

johnboy, have you consulted 'rute'?  it's in the repo.  i recall reading about groups and permissions way back when i was beginning linux.