PDA

View Full Version : I like to know meaning of groups in Linux



User808
10th October 2017, 08:46 PM
Hi.

After 1 year & few months of being Linuxer on Fedora, I feel myself ready now to go more deep in Linux. A step in this road, is the knowledge of meaning of groups already existing on Linux Fedora. I mean the following:

Go to system setting, under administration select "Users & Groups". In "Group" tab, there are many groups ... I need to know what each of them mean? & what the result of adding user to each of them or removing it from any of them?

Is there a document or link explain them?

Best.

flyingdutchman
11th October 2017, 03:43 AM
First consider that UNIX is a multi-user system. There may be many people using the same computer and we don't want them to step on each other's toes.

Users and groups is a basic UNIX divide and conquer security strategy. It is managed at the file system access level. There are also two more powerful, very similar systems in use, called Access Control Lists (ACL) and SELinux/AppArmor, that work at the kernel level.

Between all these things, it ensures that users and processes are kept separated. The upshot is that if one user/group account gets compromised, then the damage is limited.

HaydnH
11th October 2017, 11:59 AM
Further to the above. If you run "ls -l" in a terminal you'll see that files have 2 types of owners, a user and group ownership. They'll also have permissions expressed as a string like rwxr-x--- or similar. These permission strings are split in to 3 permission blocks of 3 characters: "user, group, other". Using rwxr-xr-- as an example:

- the first 3 characters (rwx) denote what the user (the person who owns the file) can do with that file, in this case rwx means they can read, write and execute the file.

- the next 3 characters (r-x) denote what users in the owner group can do with the file, in this case read and execute, but they can't modify/write the file. So the file could be owned by both user "bob" and the group "finances", users who aren't bob but are in the finances group would be able to read/execute the file which could be useful for running a payInvoice script or similar.

- the last 3 characters are for other users who are neither the owner nor in the group. In this case they can't read/write or execute the script, we wouldn't want them reading it and getting the accounts software login details for example.

ocratato
11th October 2017, 12:31 PM
I found this article that explains users and groups quite well:
https://www.linode.com/docs/tools-reference/linux-users-and-groups

tech291083
11th October 2017, 01:45 PM
I found this article that explains users and groups quite well:
https://www.linode.com/docs/tools-reference/linux-users-and-groups

one of the easiest to understand articles for people new to the concept of permissions in Linux, many thanks indeed.

lsatenstein
11th October 2017, 05:34 PM
Fedora includes a group titled "users". I can join that group. My wife's the other user. She can also become a member of "users". For files that I want to share with each other, I have the admin set those files to have users group.

Sudo. Leslie:users sharedObject. Both Leslie and Wife are also enrolled in users for this to work.

Look at /etc/group.

flyingdutchman
11th October 2017, 05:44 PM
Leslie, if you make a directory called shared (or whatever) in your or your Wife's home directory and set the sticky bit on that directory and set the group of the directory to users, then any file copied there will inherit the users group and will be accessible by both of you. That may save you some hassle.

User808
11th October 2017, 09:42 PM
Many thanks for all of you that post in this threat.

But I think you misunderstand me ! My original question is:

I have - by default - the following groups on my system: see attached 4 screenshots please.

What each of these group mean ? What is result of adding a user to each of them ? What result of a user not member in each of them ? This is my question. For example:

There is a group called "lock". So, what this group mean ? What result for user if added to it ? What result for a user removed from it or not being a member in this group ?

Best.

dd_wizard
11th October 2017, 10:16 PM
Scroll down near the bottom of this archlinux wiki (https://wiki.archlinux.org/index.php/users_and_groups) for some of them. Sometimes you need to be a member to get an app to work correctly. VirutalBox USB devices are one example. Of course, you need to be in wheel to run sudo.

dd_wizard

sidebrnz
12th October 2017, 01:28 AM
OK, nobody here has come close to answering the question, so I'll give it a try. Let's say that you were working on an old-time Unix mainframe, along with the rest of the people in your office, and that you were working in accounting. If things were set up correctly, you would be a member of a group called "accounts," although you'd probably be a member of other groups as well. Now, the important accounting files would probably be owned by your department head, and by the accounts group, and anybody in that group would have read/write access to those files. That would mean that anybody in that group could use the files as if they owned them, and you wouldn't have to worry about syncing different copies. That's how groups were designed to be used. (In fact, there was a time when you could only be active in one group at a time, and if accounts weren't your main group, you'd have to newgrp to it in order to work on those files.)

Now, however, most people are only working on files on their own box, and groups aren't important unless you have more than one regular user on that computer. Groups are still used, however, not just for historical reasons, but to limit the people who have access to certain files or programs. Each user has their own group, with their username as the group name for convenience, and can also be members of other groups as needed. (As mentioned above, if you need to use sudo, you need to be a member of the group "wheel.") If you want to see what groups you're a member of, just run the command groups in a terminal. If you find that you need to be a member of a special group to run a program (I have boinc running for distributed computing, as an example.) you either need to edit /etc/group as root to add yourself to that group, or use a GUI application such as system-config-users, which also requires root, to make the change.

User808
12th October 2017, 06:11 AM
Scroll down near the bottom of this archlinux wiki (https://wiki.archlinux.org/index.php/users_and_groups) for some of them. Sometimes you need to be a member to get an app to work correctly. VirutalBox USB devices are one example. Of course, you need to be in wheel to run sudo.

dd_wizard

Thank you very much for this link !! It answered most of them.

Let go now to my target: I was thinking with a group that when a user added to it will have no permissions right (being minimum & have no any root "neither su nor sudo power).

Does "nobody" group can do this ?? In your link no explanation about this. I searched Internet & got links saying something good but not in details.

Let me explain further. Please look to this link:
https://www.forums.fedoraforum.org/showthread.php?t=313858

I like to simplified the above guide to minimum - if possible. It depend on creation of user account without su nor sudo nor GUI root access abilities & GNOME software not accessible to it.

1) When adding new user on Fedora, it is by default have no sudo power because by default not added to wheel group, so this is O.K

2) but by default this new user account have su power. I have to edit a file system by uncommenting a line (remove #) - see guide. It is simple step, but if user do a mistake can distroy it's system, & on upgrading Fedora to next version it will undo & user need to re-perform this step again

3) the new user account - even after perform step of edit system file that block su - though now it has neither sudo nor su power, but still able to gain root by certain application via GUI, like firewalld for example. I have to perform special step to block that on a special package.

4) also, new user account even if you perform step that disable it from su, & thus have no sudo nor su further, is still be able to to use GNOME software center.

So, what will happened if I add new user account (that by default has no sudo but has su & root access via GUI), what will happened to this user if I added it to "nobody" group ??

Does adding it to "nobody" group make it impossible to use su power from shell (terminal) of this new user without need to edit system file of Fedora ? Does this will make it unable to gain root power via GUI ? Does it will still be able to use GNOME software center ?

In breaf, adding new user to "nobody", can make me avoid steps in (2), (3), & (4) ?

Best.

flyingdutchman
12th October 2017, 07:56 AM
Groups don't have special powers. They are merely file system attributes that are checked by the kernel before opening a file.

If a file belongs to a certain group and you don't, then you cannot read that file. Simple as that.


As I mentioned above, there are also ACLs and SELinux which are like groups on steroids.

It may take you a while to wrap your head around it, but don't let it worry you too much.

sidebrnz
12th October 2017, 08:03 AM
One mistake in your most recent post: su is set to be executable by anybody, but you need to know the password for the account you're switching to. As an example, I'm not in the wheel group on any computer I own, so I can't use sudo. That's fine, because I'm the person who installed Linux, I know the root password because I'm the person who set it, and I can use su whenever I want.

And, to answer part of your most recent question, if you don't want somebody messing with system files don't put them in the wheel group and don't tell them the root password.

User808
12th October 2017, 11:20 AM
One mistake in your most recent post: su is set to be executable by anybody, but you need to know the password for the account you're switching to. As an example, I'm not in the wheel group on any computer I own, so I can't use sudo. That's fine, because I'm the person who installed Linux, I know the root password because I'm the person who set it, and I can use su whenever I want.

And, to answer part of your most recent question, if you don't want somebody messing with system files don't put them in the wheel group and don't tell them the root password.

Hi. my aim is to overcome viruses that targeted to Linux via WineHQ. These viruses try to take root power, so try to break passwords including su password without need me to inform them this password. I'm the only user on my PC but using groups to isolat Wine. My su password is very very very long & complex, but I search for maximum security & already achieved this via guide that I linked to you in my previous post, but I try to simplified it for peoples .......

HaydnH
12th October 2017, 11:38 AM
I'm the only user on my PC but using groups to isolat Wine.

You may be interested to read up on a "chroot jail", it would lock down the Wine more than using groups. Even if the user/group privileges are escalated somehow, Wine can't write outside the chroot jail. Obviously using a VM is another option.

topiwala
12th October 2017, 12:31 PM
i would prefer firejail over using groups etc.

flyingdutchman
12th October 2017, 01:18 PM
Paranoid much? In my experience WINE viruses are not really a problem.

User808
12th October 2017, 04:59 PM
@topiwala
2 problem with firejail:

1) not available neither in Fedora repositories nor in RPMFusion repositories. Only in coper. Why such great application not available, I do not understand !

2) I do not use Wine only for games. I use it for PDF editor & irfanview. So, does isolation (sandboxing) such applications by firejail allow them to be still productive ? If irfanview isolated by firejail, then does it will be still able to handle & edit images ?

@flyingdutchman
I'm very unlucky man in my life, & I expect that bad things that are rare & uncomon to face me as rain of stones over my head ! This is what called bad luck ! I'm of that type ...

topiwala
12th October 2017, 06:15 PM
i agree not having it in official repos is a problem but i use this solution

a- i compile. It is easy as compared to other programs
b- to keep me updated i use RSS feed. Firejail page has Atom feed.

As for second problem i haven't used those programs.

Now a days i do not even install wine.

User808
12th October 2017, 06:56 PM
i agree not having it in official repos is a problem but i use this solution

a- i compile. It is easy as compared to other programs
b- to keep me updated i use RSS feed. Firejail page has Atom feed.

As for second problem i haven't used those programs.

Now a days i do not even install wine.

WineHQ & Anbox are 2 great tools ! Wine make you able to use Windows applictions on Linux. If you observing change log of wine, you will see that versions 2+ started to add very important features, so that version 3 will be very good. I suspect that version 4 at 2019 will be excellent.

Regarding anbox:

https://anbox.io

it is still alpha. It enable you to run Android applications on Linux in exetra ordinary way ! It is secure by default !

No other OS like Linux in it's elasticity !

topiwala
12th October 2017, 07:16 PM
My experience with wine was "difficult".

I use virtual machine if need like for scanning or android SDK. I will look into anbox.

For most i am exclusively linux user.

User808
12th October 2017, 07:53 PM
My experience with wine was "difficult".

I use virtual machine if need like for scanning or android SDK. I will look into anbox.

For most i am exclusively linux user.

Regarding Anbox, please beware that currently there is something you should download & install manually to install Anbox on Fedora - read their forum or bug, I do not remember exactly .... Test it on Debian is better, as I think .... It is still ALPHA !

I'm like you, mostly Linuxer, now ! But game ! There are very nice windows games not available on Linux ......

lsatenstein
12th October 2017, 10:12 PM
Hi User808
Everyone has access to the su command.

Only a wreckless administrator or an adminstrator with poor linux/security knowledge will give that user the root password.

Once that user is given the root password, he can edit /etc/group and add his login to the wheel group.
That is why we allow sudo. And yes, with sudo you do not have to give total system access . You can even manage printing, file allocation, and commands that you want to remain privileged.

User808
12th October 2017, 11:13 PM
Hi User808
Everyone has access to the su command.

This is bad ! FreeBSD do not allow this. I think every new user added should be by defsult has no sudo, no su powers + unable to gain root from within any GUI including Gnome software.

sidebrnz
12th October 2017, 11:46 PM
Why is it bad? Just having access to su doesn't give you access to root because you still need to know root's password. And, although you can also use su to become some other user, you still need that user's password. Also, in Fedora (and I think Ubuntu) only the first user you create is added to wheel by default. If you don't want anybody else to have access to root, don't add them to wheel and don't tell them the root password.

User808
13th October 2017, 05:44 AM
Why is it bad? Just having access to su doesn't give you access to root because you still need to know root's password. And, although you can also use su to become some other user, you still need that user's password. Also, in Fedora (and I think Ubuntu) only the first user you create is added to wheel by default. If you don't want anybody else to have access to root, don't add them to wheel and don't tell them the root password.

What it will be the case if Wine dependent virus has build in tool for spantanous password generator & thus will trying to crack su password ? This is what I concerned about.

Let we return to topic of this thread. Do any one used "nobody" group & no more about what happened for user added to this group ?

sidebrnz
13th October 2017, 06:24 AM
Once that user is given the root password, he can edit /etc/group and add his login to the wheel group.

True, but why bother? Once you have the root password, you don't need sudo. As an example, the only reason I have it installed on my computer is that there are packages that need it, because I certainly don't. Whenever I need root, I use su.