Linux Permission Assignments

wirestyle22

Book: "While many Unix-like systems assign regular users to a common group such as users, modern Linux practice is to create a unique, single-member group with the same name as the user.This makes certain types of permission assignments easier."

It doesn't clarify what it actually makes easier. Anyone have examples? Thanks!

scottalanmiller

I honestly don't know what it makes easier, either.

scottalanmiller

It's very common now. Only thing that I can imagine is that long ago the idea that "all users will want access to some universal stuff" got debunked and they removed it as "silly."

wirestyle22

A group with a single user would be the same thing as the user contained within the group, permissions wise...right? I don't see a reason to do this

wirestyle22

Added layer of security when disabling an account? Since the group gave all permissions, once it's removed even if someone accesses that account they still have no rights?

scottalanmiller

@wirestyle22 said in Linux Permission Assignments:

A group with a single user would be the same thing as the user contained within the group, permissions wise...right? I don't see a reason to do this

Well, my guess is that it is to keep people from granting silly group permissions by accident or default.

scottalanmiller

@wirestyle22 said in Linux Permission Assignments:

Added layer of security when disabling an account? Since the group gave all permissions, once it's removed even if someone accesses that account they still have no rights?

No, that would be the same. It's defaults, I'm pretty sure, that matter.

wirestyle22

@scottalanmiller said in Linux Permission Assignments:

@wirestyle22 said in Linux Permission Assignments:

Added layer of security when disabling an account? Since the group gave all permissions, once it's removed even if someone accesses that account they still have no rights?

No, that would be the same. It's defaults, I'm pretty sure, that matter.

which is referring to the world correct?

jrc

To me a group is a collection of a certain type of user and is then used to streamline permissions to certain resources. EG Instead of giving read permission to Cathy, Joan and Frank, you can just create a group with them in it, and give that group read permission thereby simplifying your job.

I cannot for the life of me think why you would want a single user group with the same name as the user in it. Are there permissions that can only be assigned to a group rather than directly to the user?

What am I missing here?

wirestyle22

@jrc said in Linux Permission Assignments:

I cannot for the life of me think why you would want a single user group with the same name as the user in it. Are there permissions that can only be assigned to a group rather than directly to the user?
What am I missing here?

You're right where I am. I have no idea.

jrc

@wirestyle22

Yeah, it seems like an extra step that just complicates and confuses things.

Romo

They do have a reason to exist, they are called User Private Groups and they are better explained here:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/3/html/Reference_Guide/s1-users-groups-private-groups.html

Another explanation:
https://security.ias.edu/how-and-why-user-private-groups-unix

scottalanmiller

@wirestyle22 said in Linux Permission Assignments:

@scottalanmiller said in Linux Permission Assignments:

@wirestyle22 said in Linux Permission Assignments:

Added layer of security when disabling an account? Since the group gave all permissions, once it's removed even if someone accesses that account they still have no rights?

No, that would be the same. It's defaults, I'm pretty sure, that matter.

which is referring to the world correct?

I don't know what you mean. World and groups are not the same at all.

stacksofplates

@jrc said in Linux Permission Assignments:

To me a group is a collection of a certain type of user and is then used to streamline permissions to certain resources. EG Instead of giving read permission to Cathy, Joan and Frank, you can just create a group with them in it, and give that group read permission thereby simplifying your job.

I cannot for the life of me think why you would want a single user group with the same name as the user in it. Are there permissions that can only be assigned to a group rather than directly to the user?

What am I missing here?

Setgid creates group specific permissions for files in the directory with setgid turned on.

Having a group id also lets you do things like have root own a file and be able to modify it but let apache and only apache read it.

Edit: I see Romo beat me to it with the links. I didn't read them until just now.