Different UNIX operating systems implement the group concept in various ways. Fedora uses a scheme called UPG , the user private group , in which all users are assigned to a group with their own name by default. (The user's username and group name are identical.) All the groups are listed in /etc/group
file. Here is a partial list of a sample /etc/group
file:
# cat /etc/group
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
dovecot:x:97:
...
postdrop:x:90:
postfix:x:89:
andrew:x:500:
In this example, there are a number of groups, mostly for services ( mail
, ssh
, and so on) and devices (CD-ROM, disk, and so on). As previously mentioned, the system services groups enable those services to have ownership and control of their files. For example, adding postfix
to the mail
group, as shown previously, enables the postfix
application to access mail's
files in the manner that mail
would decide for group access to its file. Adding a regular user to a device's group permits the regular user to use the device with permissions granted by the group owner. Adding user andrew
to the group cdrom
, for example, would allow andrew
to use the CD drive. You learn how to add and remove users from groups in the next section.
Fedora provides several command-line tools for managing groups as well as graphical tools. Many experienced sysadmins prefer the command-line tools because they are quick and easy to use and they can be included in scripts if the sysadmin desires to script a repetitive task. Here are the most commonly used group management command-line tools:
► groupadd
— This command creates and adds a new group.
► groupdel
— This command removes an existing group.
► groupmod
— This command creates a group name or GIDs, but doesn't add or delete members from a group.
► gpasswd
— This command creates a group password. Every group can have a group password and an administrator. Use the -Aargument to assign a user as group administrator.
► useradd -G
— The -G
argument adds a user to a group during the initial user creation. (More arguments are used to create a user.)
► usermod -G
— This command enables you to add a user to a group as long as the user is not logged in at the time.
► grpck
— A command for checking the /etc/group
file for typos.
As an example, imagine that there is a DVD-RW device ( /dev/scd0
) computer to which the sysadmin wants a regular user named vanessa
to have access. To grant vanessa
that access, he would use these steps:
1. Add a new group with the groupadd
command:
# groupadd dvdrw
2. Change the group ownership of the device to the new group with the chgrp
command:
# chgrp dvdrw /dev/scd0
3. Add the approved user to the group with the usermod
command:
# usermod -G dvdrw vanessa
4. Make user vanessa
the group administrator with the gpasswd
command so that she can add new users to the group:
# gpasswd -A vanessa
Now, the user vanessa
has permission to use the DVD-RW drive, as would anyone else added to the group by the super user or vanessa
because she is now also the group administrator and can add users to the group.
The sysadmin can also use the graphical interface that Fedora provides, as shown in Figure 10.2. It is accessed as the Users and Groups item from the System Settings menu item.
FIGURE 10.2 Just check the box to add a user to a group.
You will note that the full set of group commands and options are not available from the graphical interface, limiting the usefulness of the GUI to a subset of the most frequently used commands. You learn more about using the Fedora User Manager GUI in the next section.
You've read about users previously, but this section examines how the sysadmin can manage the users. Users must be created, assigned a UID, provided a home directory, provided an initial set of files for their home directory, and assigned to groups so that they can use the system resources securely and efficiently. The system administrator might elect to restrict a user's access not only to files, but to the amount of disk space they use as well. (You learn more about that in the "Disk Quotas" section later in this chapter.)
Fedora provides several command-line tools for managing users, as well as graphical tools. Many experienced sysadmins prefer the command-line tools because they are quick and easy to use and they can be included in scripts if the sysadmin wants to script a repetitive task. Here are the most commonly used commands for managing users:
► useradd
— This command is used to add a new user account to the system. Its options permit the sysadmin to specify the user's home directory and initial group or to create the user with the default home directory and group assignments.
► useradd -D
— This command sets the system defaults for creating the user's home directory, account expiration date, default group, and command shell. See the specific options in man useradd
. Used without any arguments, it displays the defaults for the system. The default set of files for a user are found in /etc/skel.
NOTE
The set of files initially used to populate a new user's home directory are kept in /etc/skel. This is convenient for the system administrator because any special files, links, or directories that need to be universally applied can be placed in /etc/skel and will be duplicated automatically with appropriate permissions for each new user.
# ls -al /etc/skel
total 60
drwxr-xr-x 4 root root 4096 2007-10-21 19:58 .
drwxr-xr-x 112 root root 12288 2007-10-22 20:40 ..
-rw-r--r-- 1 root root 33 2007-08-31 15:20 .bash_logout
-rw-r--r-- 1 root root 176 2007-08-31 15:20 .bash_profile
-rw-r--r-- 1 root root 124 2007-08-31 15:20 .bashrc
drwxr-xr-x 2 root root 4096 2007-10-17 17:52 .gnome2
Each line provides the file permissions, the number of files housed under that file or directory name, the file owner, the file group, the file size, the creation date, and the filename.
As you can see, root owns every file here, but the adduser
command (a symbolic link to the actual command named useradd
) copies everything in /etc/skel
to the new home directory and resets file ownership and permissions to the new user. Certain user files might exist that the system administrator does not want the user to change; the permissions for those files in /home/username
can be reset so that the user can read them but can't write to them.
Читать дальше