Reasons behind the default groups and users on Linux

Per-user groups

I too don't see a lot of utility in per-user groups. The main use case is if a user wanted to allow "friends" access to their files, they can have the friend user added to their group. Few systems I've encountered actually use it this way.

When USERGROUPS_ENAB in /etc/login.defs is set to "no", useradd adds all the created users to the group defined in /etc/default/useradd by the GROUP field. On most of distributions, this is set to the GID 100 which usually corresponds to the users group. This does allow you to have a more generic management of users. Then, if you need finer control, you can manually add these groups and add users to them that makes sense.

Default created groups

Most of them came about from historic reasons, but many still have valid uses today :

  • disk is the group that owns most disk drive devices
  • lp owns parallel port (and sometimes is configured for admin rights on cups)
  • uucp often owns serial ports (including USB serial ports)
  • cdrom is required for mounting privileges on a cd drive
  • Some systems use wheel for sudo rights; some not
  • etc.

Other groups are used by background scripts. For example, man generates temp files and such when it's run; its process uses the man group for some of those files and generally cleans up after itself.

According to the Linux Standard Base Core Specification though, only 3 users that are root, bin and daemon are absolutely mandatory. The rationale behind the other groups is :

The purpose of specifying optional users and groups is to reduce the potential for name conflicts between applications and distributions.

So it looks as it is better to keep these groups in place. It's theorically possible to remove them without breakage, although for some, "mysterious" things may start to not work right (eg, some man pages not rendering if you kill that group, etc). It doesn't do any harm to leave them there, and it's generally assumed that all Linux systems will have them.


Question 1: Reasoning for Same User and Group

Hello, I'm ecyoung and you're horgix. We go to work everyday and login to the same Linux Server as programmers. One day, not long ago, our system admin decided to make user creation and maintainance easier on himself, so he turned off the USERGROUPS_ENAB option and put all the existing users in the new users group.

This did make user creation easier but not maintainance you see because all users can access all the other users files. In a corporate setting this is a big no no due to things like Sarbanes Oxley and Segregation of Duties. If I create File A, the Group Bit is set to the Users Group, which means that All users can at least read File A. If the sys admin is lazy, then in some cases all users can RW file A. This Defeats Sarbanes Oxley and SoD because separate departments should not be able to read much less write any other persons document.

With User/Group enabled if I create a document as ecyoung then only I have rwx rights to it. Since no one else is in my group, when they open my document they see a blank page with a warning. This enforces Sarbanes-Oxley and SoD. If I invite other users, those users are allowed rw access, and by doing so I know that what they see won't come back to bite me or them. As others have said, if at home, that separation may not be important to you. If you determine that, then you can safely turn the option off and all users will be added to a users group with a GID of 100. See Question 2 below.

Hypothetical:
You work in IT and Louis works in Payroll. Louis keeps the Tax and payroll sheet in her home directory, but you are both in the users group, so you open her home directory because its marked +r for users and find her spreadsheet. You find your salary amount listed, along with Joe's and Fred's. Do you think Joe and Fred would like you knowing their salary??

Question 2: Group IDs 0 through 500

Group IDs and conversely User IDs 0 - 500 are reserved for system accounts and device access. See the Pre-Configured system groups table for the list of Standard Accounts. Please do not remove these accounts by hand. For example if you want to remove the user ftp, remove the ftp daemon with your package management system. Doing so will also remove the system account. System Services include but are not limited to:

  • The CUPS Printing Service
  • The MySQL Server Daemon
  • The FTP Server Daemon
  • The Apace Web Server
  • The X Server Socket for Remote Connections
  • The ALSA Sound System Daemon
  • The DBUS Service

There are others, so if other readers want to add or remove from the Service list above, please do so.


If we all share a default group, like in the old days, then we need to set our umask to 077 to block the group. If the default is me, then I can set the umask to 027, now if I set a directory or file to a shared group, this group can read. I don't have to mess about with modes as well.

This is just one example, but in general it is a way to disable groups, until you need them, in a way that makes them easier to turn on and manage.

Tags:

Users

Accounts

Group

Recent Posts