Groups, gshadow etc
I have been researching a few things in regards to groups etc with Linux and having a hard time understanding the whole gpasswd/gshadow concepts, so I have a few questions:
1) We have the ability to be added to more than a single group, so why would you want to change your default group to a different group
2) Why password a group? I don't understand why someone would want to do this, is it so that you can give users the ability to add other users to a group, and to do this they need the password to add the user?
3) Whats with Admins and Members in the gshadow directory? Whats this all about?
I hope that someone can explain this to me, I have browsed google.com/linux however I couldn't find a good example/understand of the concepts.
Thanks for your help
1) To change the default permissions when you create a file. I may want all files I create to be in wheel so no one else on my system can read them except wheel members. Then again, I may want all users to be able to read them. In a multi-user system, this can save you quite a few chowns. 8)
2) If you don't want someone to be able to change his/her group id, you can password protect that group so that it cannot be changed to using newgrp without the password.
3) I don't really understand what you're saying here...there is no gshadow directory. :?
Hey thanks for the info, that makes a load of sense, in regards to 1) just to make sure I understand do you mean when you create a file/dir it creates it for your default group only, changing the default group allows you to create files/dirs for another group?
In regards to the second question answer from you, I don't understand that, can you give an example, because if they are part of a group, why should you password the group so they cannot set it as default?
I meant gshadow file ;), the admin and members part of it, don't get it, don't understand the diff parts, in group file it just has members of the group...
Thanks for the reply
I know this thread is old, but it is unanswered, and it came up early in a google search... :-)
The bit about creating files is that the group ownership of the file is set to your current group. This will be the group listed in /etc/passwd when you log in, but you can change it (in your current shell, not permanently) to another group. You can't change your own default group (the one in the /etc/passwd file) - that can only be done by root. So if, for example, /etc/passwd has you in the "users" group, but /etc/group and /etc/gshadow have you in the wheel group. If you create a file immediately after login, that file will be owned by the "users" group. If you run "newgrp wheel", then create another file, that file will be owned by the "wheel" group, which presumably allows a different set of users to access it.
If you are listed in the group's members in /etc/gshadow, you can simply run "newgrp new_group_name". If you are not in that list, and there is a password in gshadow, you can run the newgrp command and enter the password when prompted. If you are not in that list and there is no password, or the password has been restricted (i.e. has a leading "!" in /etc/gshadow), then you cannot newgrp to that group. Again, these newgrp setings are temporary - they are lost as soon as you exit your shell. If you want to be in that new group again, you must run newgrp again.
The admin user(s) in the gshadow file can remove the password, can restrict the group only to people in the members list, and can add or delete users from the list. If there is no administrator listed in /etc/gshadow, then only root can make these changes.
The membership lists in /etc/group and /etc/gshadow should ideally follow each other. The list in /etc/group should be the same as the join of the administrators and members in /etc/gshadow. If the lists are different, odd things might happen (e.g. you may be able to change your group to a new one and create a file owned by that group, but then may not be able to read other files owned by that group even if they have group-read permission).
You can only make these changes on local users - LDAP or NIS users must be administered on the relevant servers.