HPE Community
Operating System - Linux
1832237 Members
2526 Online
110041 Solutions
New Discussion

Is it dangerous to remove some groups?

 
SOLVED
Go to solution
Nils_9
Advisor

‎09-21-2005 06:03 AM

‎09-21-2005 06:03 AM

Is it dangerous to remove some groups?

Hi there,

when you create a new user on Linux, penguin for example, a group with the same name is created, and the UID is the same as the GID (505 for example).
What happens if this group is deleted? What becomes impossible to do when this group is deleted? Is it dangerous? I ask the question for all the cases, but also in the case of a Samba fileserver.
0 Kudos
Reply
9 REPLIES 9
Ivan Ferreira
Honored Contributor

‎09-21-2005 07:04 AM

‎09-21-2005 07:04 AM

Re: Is it dangerous to remove some groups?

You won't be able to delete user's primay group. If you want to delete the group, you need to change the user's primary group with usermod -g.

If you delete the group, you need to modify also the group membership permissions of all files that the group owns, you can use the find command to find out what files are owned by the group, and change the group owner. (find / -group groupname -exec chgrp newgrp {} \; )

You can delete a group, but you need to be sure that the group does not own any files.

Also, that group membership scheme (groupname same as username) is part of a security best practice known as User Private Group. Take a look to UPG.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
HGN
Honored Contributor

‎09-21-2005 08:10 AM

‎09-21-2005 08:10 AM

Re: Is it dangerous to remove some groups?

Hi

The users primary group should not be deleted. You can either assign the user to a different group and then delete the group.

Rgds

HGN
0 Kudos
Reply
Rick Garland
Honored Contributor

‎09-21-2005 08:19 AM

‎09-21-2005 08:19 AM

Re: Is it dangerous to remove some groups?

When you add users via the Linux way it adds a corresponding group with the user account name. I have had no problems in reassigning the user to another group and then removing the new group that was created.

If you need to add some 500 users, you could get some 500 new groups as well.
0 Kudos
Reply
Gopi Sekar
Honored Contributor

‎09-21-2005 06:04 PM

‎09-21-2005 06:04 PM

Re: Is it dangerous to remove some groups?


You should not delete the primary group of the user, then GID set for files in his home directory will turn in to numeric.

Having GID same as UID is something I believe RedHat's choice of maintaining users. I would suggest to have single group id (eg: users) and when users are created assign this group as their primary group. Necessary options to do this is available as part of useradd command.

Regards,
Gopi
Never Never Never Giveup
0 Kudos
Reply
Nils_9
Advisor

‎09-22-2005 06:56 AM

‎09-22-2005 06:56 AM

Re: Is it dangerous to remove some groups?

Thanks a lot for your help.
Has someone an example of a problem caused by the fact that the users of a Linux system (whatever the distro) haven't a group of the same name and same ID?
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

‎09-22-2005 07:06 AM

‎09-22-2005 07:06 AM

Solution

Re: Is it dangerous to remove some groups?

When you have more than one user in the same group, (that's what happen if you don't use a private group), then by default, all users in the same group can see the files created by other users, that may be not good.

Example:

UID: user1
GID: users

UID: user2
GID: users

umask 027

user1:

touch my_private_file
ls -la my_private_file

-rw-r----- user1 users my_private_file


See? If you don't modify the umask setting to something like 077, the my_private_file by default can be read by user2.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Reply
Andrew Merritt_2
Honored Contributor

‎09-22-2005 11:58 PM

‎09-22-2005 11:58 PM

Re: Is it dangerous to remove some groups?

I don't think it would cause any problems.

Removing the group entry will just remove the name of the group. The passwd entry will still have the numeric group id for that user. The files owned by that group will just be displayed with the numeric value.

If you change the group id in the passwd file for the user, any previously existing files will keep their group id.

The User Private Groups scheme that RedHat implement is just one way of implementing things (it doesn't involve any fundamental changes to the underlying Linux). It means by default that you don't have group access permissions to read another user's file. Normally (e.g. on HP-UX) users are put in the same group so can share access to files, but with UPG they'd both need to be members of a separate group to do this.

Andrew
Reply
Nils_9
Advisor

‎09-25-2005 05:06 AM

‎09-25-2005 05:06 AM

Re: Is it dangerous to remove some groups?

Thanks a lot Ivan & Andrew, so I'll do a umask 077 to the homes directories. Does umask stay after a reboot? Just if needed..
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

‎09-26-2005 12:49 AM

‎09-26-2005 12:49 AM

Re: Is it dangerous to remove some groups?

No, the umask command should be configured in the /etc/profile file.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.