HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Showing results for 
Search instead for 
Did you mean: 

Unix / Linux special groups

Go to solution
Raynald Boucher
Super Advisor

Unix / Linux special groups

Hello all,
We are migrating systems and I'm in a bit of cleanup / documentation process.

Where can I find documentation for/on special user groups founf on UNIX systems?
I'm thinking of the groups "wheel", "ctools", "ntools" and others.

We have some of these groups defined on our systems. I now they are needed for some admin tasks but cannot see any files belonging to them and cannot find documentation specifying the privileges their members are entitled to.



Re: Unix / Linux special groups

I've never seen these groups. They must be special for your site or an application you use.
Honored Contributor

Re: Unix / Linux special groups

In some Unix-style operating systems, "wheel" is the traditional name for the "users who are allowed to use su to become root" user group. This restriction is typically enforced by the su command itself.

Even with the "wheel" group functionality of (some versions of) su, this requires multiple users to know the root password. Changing a password that must be known by more than one person requires coordination and passing secrets around, making it harder to replace a password that might be fallen to wrong hands.

So, most current sources recommend using sudo instead of su to allow the administrators use the root privileges.

If you're using sudo, it can be used to give out other privileges too: the "ctools", "ntools" and other groups might have certain sudo privileges assigned to them. Find the "sudoers" file on your system and read it to see what kind of privilege definitions are made; the file is normally /etc/sudoers on most Linuxes, and /opt/iexpress/sudo/etc/sudoers on HP-UX (if the HP-provided version of sudo from the HP-UX Internet Express package is used).

If you need to edit the sudoers file, use the "visudo" command; like "vipw" for /etc/passwd file, it makes a temporary copy of the respective file for editing. Visudo checks the edited file for syntax errors before it replaces the real file. If errors are detected, it gives you a chance to fix them or to abandon your changes.

Raynald Boucher
Super Advisor

Re: Unix / Linux special groups

Thanks Matti,
Your answer does not solve my problem but points me in the right direction.

On our HP-UX systems, there is no /opt/iexpress/.../sudoers file but some commands and logs have the [cn]tools group assigned. I'm told ntools was for network and ctools was for configuration and the groups were created to allow certain people to view logs and perform certain operations without having the full system privileges.

The same setup appears to have been implemented on more recent Linux systems because the groups are populated, but do not appear in the /etc/sudoers files.

Thanks for a valuable explanation.

Ismail Azad
Esteemed Contributor

Re: Unix / Linux special groups

Hi Reynald,

So it sounds like you are using sudo over RBAC, lookin' at the conventional groups your query is based on.

However, RBAC does have special roles and special *pseudo groups* that go with the implementation of RBAC. One of which stands out is PRIV_GLOBAL.

Ismail Azad
Read, read and read... Then read again until you read "between the lines".....