Go to TogaWare.com Home Page. GNU/Linux Desktop Survival Guide
by Graham Williams
Duck Duck Go

Access Control through Unix Groups

20190820 Every file and folder in a GNU/Linux system belongs to a so-called group. Each user is also a member of one or more groups. Groups are used to allow collections of users to access particular shared files, folders, and services.

A Debian GNU/Linux system creates some standard groups and users. The system administrator can also create new users and may also create new groups. Groups can be managed using the Gnome users-admin tool, accessed from Applications->System Tools->Users and Groups. By default this shows only users, but you can access groups by selecting the More Options button. This allows you to add new groups and to add and remove users from groups.

Figure 80.1: Gnome interface for managing GNU/Linux groups.
Image gnome-groups

Listed below are some standard groups and users. Refer to /usr/share/doc/base-passwd/users-and-groups.html on your local system for further details.

Group gid Description
root 0 The root (admin) user's primary group.
daemon 1 Non-root daemons.
bin 2 Historical but required by some programs.
sys 3 Historical but required by some programs.
adm 4 Access /var/log to monitor system. Private data (passwords) may exist.
tty 5 Access /dev/tty terminal devices by e.g., write and wall.
disk 6 The disk device nodes are group accessible to disk so that programs that need access to them will set their group ID to be disk. This group has write access to all the raw disk devices (/dev/hd* and /dev/sd*), so assigning users to group disk is both dangerous and a security risk.
lp 7 Access lp (printer) daemon jobs without being root.
mail 8 mailbox spool directories belong to group mail, MUA software runs setgid mail. This makes dot locking possible. Also, mailboxes must be writeable by group mail (Policy Manual, 3.1.1.1, 5.6).
news 9 standard group for user news. Why does news have its own group, and many of the other daemon uids don't?
uucp 10 Access uucp jobs.
proxy 13 web cache files are group accessible to proxy.
kmem 15 /proc/kmem is group accessible to kmem. Programs that need access are sgid kmem.
dialout 20 ppp- and isdn device nodes are group accessible to dialout. Include users allowed to initiate dialout in this group.
fax 21 fax jobs are group accessible to fax.
voice 22 voice messages are group accessible to voice (vgetty)
cdrom 24 The cdrom group is used to control who can access the CD-ROM.
floppy 25  
tape 26 for device nodes. Include users allowed to access these in the appropriate groups.
sudo 27  
audio 29 for device nodes. Include users allowed to access sound in this group
dip 30 For daemons running under their own uid/gid. Why are these static?
majordom 30 For daemons running under their own uid/gid. Why are these static?
postgres 32 For daemons running under their own uid/gid. Why are these static?
www-data 33 This has been discussed in the past, and the discussion is not finally finished. Today, www data files belong to this group and the web servers run with that group, thus being able to write the files. This has been considered a security hole, but was not yet changed.
backup 34  
msql 36 For daemons running under their own uid/gid. Why are these static?
operator 37  
list 38  
irc 39 For daemons running under their own uid/gid. Why are these static?
src 40 This group is intended for users who need to access source code, including files in /usr/src. Users in this group can thus manage system source code. Also, this group is the default group for access to the CSV repository in /var/lib/csv.
gnats 41 For daemons running under their own uid/gid. Why are these static?
shadow 42 Programs that should be able to access the shadow passwords are sgid shadow.

utmp 43 Programs that should be able to access utmp are sgid utmp.
video 44  
staff 50 This group is used to control access to /usr/local. Add users to this if they should be able to write to /usr/local and /var/local.
games 60 games that store user independent high score values in /var/lib/games are sgid games
qmail 70 used for qmail
users 100 All users belong to this group. Place files that all users should have access to in this group.

Copyright © 1995-2020 Togaware Pty Ltd
Support further development through the purchase of the PDF version of the book.
Brought to you by Togaware and the author of open source software including Rattle and wajig.
Also the author of Data Mining with Rattle and Essentials of Data Science.