[CLUE-Tech] groups

Timothy C. Klein teece at silverklein.net
Tue Apr 30 17:57:56 MDT 2002 

* Mike Staver (staver at fimble.com) wrote:
> Alright, so I created an accounted called ftpguys, and added it to the 
> group ftpguys.  Then, I made sure the ftp_files directory is owned by 
> ftpguys and so is everything in the directory.  Still no go when I try 
> to ftp in as "boz" and try to upload a file.  Also, I can not touch a 
> file when su'd as boz.  I seriously don't understand how this groups 
> thing works if what I have done thus far doesn't seem to allow people in 
> a specific group access to a certain file or directory.  You said the 
> system first pays attention to the user id - well, how do I get it to 
> look past that and at the group?
> 

The system first sees if the user is allowed access.  Thus, if ther user
is granted access, then the file permission checking will stop.  If the
user is not granted access, the group access rights are checked.  If the
user belongs to the group, then access is granted.  If still no
permissions are allowed, the system checks the 'other' field of the
file.  This if the last check.

Thus, assume this

/etc/passwd

teece:x:1000:1000:Timothy C. Klein,,,:/home/teece:/bin/bash

and /etc/group

dialout:x:20:teece,silver13
cdrom:x:24:teece
floppy:x:25:teece
sudo:x:27:teece
audio:x:29:teece,silver13
backup:x:34:teece,silver13
src:x:40:teece
video:x:44:teece
cvs:x:103:teece
lpadmin:x:104:teece,silver13,root
teece::1000:teece

Those are all the groups I belong to.  Thus, if there is the following
file:

crw-rw-r--    1 root     dialout    4,  64 Mar 19 00:27 /dev/ttyS0

(my first serial port).

Say I want write access to that file.  First, the system checks the
owner, which is root.  I am not root, so I am not granted access that
way.  Next, it checks the group, which is dialout.  You'll notice that I
am a member of the dialout from the /etc/group listing.  Also, members
of this group are allowed write access to the file (thats the 5th
position in the permisions field, it is a 'w', which means write access
OK).  The system doesn't have to check any longer, as it knows I can
write to the file.

When you create a file, it is going to have your user account as the
owner, and your default group from the /etc/passwd file.  Unless I
change something, any file I create will belong to user teece, group
teece (uids of 1000, 1000, see above).  

If I want to create something belonging to group src, I do a
chmod teece.src somefile. The thing that used to always bite me was the
groups password.  They can have one, but I never use them.  So I would
edit the /etc/group file by hand, and forget to let the shadow password
facilities be updated, thus I could not really use the group.  So if you
edit by hand, make sure to do the 'grpconv' command, so that shadow
passwords are updated.

HTH,
Tim
--
==============================================
== Timothy Klein || teece at silverklein.net   ==
== ---------------------------------------- ==
== "Hello, World" 17 Errors, 31 Warnings... ==
==============================================

More information about the clue-tech mailing list