< Zurück | Inhalt | Weiter >

1. Create the group.

Groups are defined in the file /etc/group. Each line in that file defines a group. Each line is of the form:


GroupName:x:GroupID:GroupMembers


GroupName is the name of the group. It is the group name that shows up in long form ls output. The second field is for the group’s password. If we may confess, we don’t know if this feature works anymore. You used to be able to specify a group password, but this defeats the whole purpose of not sharing passwords. Sharing passwords is a security risk. Don’t do it. The third field is the group ID number. Remember that files have owning users and owning groups. These are both stored as numbers. User numbers are known as uids and group numbers as gids. These numbers should be unique. If you reuse a number for more than one group, the effect could be indeterminate, since it would depend on how a given pro- gram was written. Don’t reuse numbers. The final column is a comma- delimited list of user names. Those named users are said to belong to the group. We’ll talk some more about what that means as we go on.


Imagine that user names bob, ted, carol, and alice are part of carl and michael’s Web development team and each has an account on the box on which we intend to install JBoss.

So, we create a group entry in the /etc/group file:


local:x:100:carl,michael,bob,carol,ted,alice


If Bob later leaves to join the custodial staff, simply remove his name from the group and he loses his access.



image

TIP

The user’s default group is specified in the /etc/passwd file. Here’s a sample: mschwarz:x:500:500:Michael Schwarz:/home/mschwarz:/bin/bash The fields of this are:

username:passwd:uid:gid:userinfo:homedir:loginprog


where:

username is the login name of the user.

passwd is the user’s encrypted password. Or rather it used to be. Now, this is usually x and the encrypted password is stored in the

/etc/shadow file. This is because /etc/passwd must be world- readable. The shadow file is not. This prevents someone reading the encrypted passwords to do an offline dictionary attack.

uid is the numeric user ID associated with this username.

gid is the numeric group ID of this user’s default group. Look for this number in /etc/group to find the name of the default group.

userinfo is additional information about this user. Sometimes called the gecos field for obscure historical reasons,5 this field usually stores the user’s real name and possibly other information like office location and phone number.

homedir is the user’s home directory.

loginprog is the name of the program that will be executed when the user logs in. This is usually a shell, but it may be any program.


image

5. See http://www.hyperdictionary.com/dictionary/GCOS if you are dying to know why.




NOTE

There are two strategies that Linux distributions follow for assigning a default group to a new user. One is to put all users into a group called staff or some such. This is widely considered a security risk since it often leads to making files accidentally readable or writable by all users on the system. The more common method is to create a group for each user when the user is created.



TIP

If you get in the habit of creating groups, you might want to assign the numbers systematically: 500–599 groups for programs, 600–699 groups for program in- stallation, 700–799 groups for company departments to allow them to control their own Web content, and so on.


image

image

2. Change group ownership of /usr/local.

Odds are, /usr/local already exists on your system. It may even have several programs installed in it. You must give the group ownership over everything in /usr/local and below. The chgrp command changes the group owner of files, and the -R argument says to do so recursively:


# cd /usr/local

# chgrp -R local .


At this point, everything in /usr/local and below is group-owned by the local group.

3. Set group permissions on /usr/local.

Basically, you want the group to be able to read and write everything in /usr/local. To do this, you need to change the permissions on all the files with the chmod. As with chgrp, this command takes a -R argument that recursively walks the directory tree. We need to give everyone in the group read and write permission on all the files:


# chmod -R g+rw .




NOTE

We are assuming you are carrying out these steps in sequence and thus your current working directory is still /usr/local.


image

4. Set directory permissions on /usr/local.

You want slightly different permissions on directories. First, you want the group to have execute permission on directories. This allows each member of the group to make each directory his or her current working directory. See Eric Raymond’s Unix and Internet Fundamentals6 for a good basic introduction to file permissions on UNIX.

Also, on Linux systems, when a user creates a file, that file is, by de- fault, group-owned by the user’s primary group,7 which is not what we want here. We want files created by a user in this directory to be group- owned by the local group. To do this, we have to set the setgid bit on all the directories in /usr/local and below. When a user creates a file in a directory that has the setgid bit set, that file will be group-owned by the group-owner of the directory if the user is a member of that group. If the user is not, it will be group-owned by the user’s default group as usual. So we need to set execute and setgid permissions on all the directories in

/usr/local and below:


# find /usr/local -type d -exec chmod g+xs {} \; -print

/usr/local

/usr/local/share

/usr/local/share/bochs

/usr/local/share/bochs/keymaps

/usr/local/share/bochs/keymaps/CVS

/usr/local/share/doc

...

...

etc.


image

6. http://en.tldp.org/HOWTO/Unix-and-Internet-Fundamentals-HOWTO/ disk-layout.php#permissions

7. Which is the group ID specified for the user in the /etc/passwd file.


With this setup, members of the local group can manage files and pro- grams in /usr/local and below as they wish. They have full power over the files and they need nothing but their own login credentials to do it. The root password can remain private.