Skip to topic | Skip to bottom
Home
Socialtools
login

edit

Socialtools.StandardUsersGroupsr1.1 - 05 Nov 2003 - 14:31 - TWikiGuesttopic end
Start of topic | Skip to actions

Users and Groups

Users

Sysadmins have sudo privileges, allowing them to run commands as root. Mail to root is normally delivered to one of the sysadmins, by setting an alias in /etc/aliases.

Adding a User

Do this with adduser; it will handle the shadow password stuff for you. The defaults are fine. To add a normal user: 

sudo adduser toni

If the user is a system administrator, add them to the adm and staff groups: 

sudo usermod -G adm,staff toni

To add a user for a daemon: 

sudo adduser --system --group --home /var/www apache

Or if it doesn't make sense for the daemon to have a home directory: 

sudo adduser --system --group --no-create-home apache

Groups

As the adduser manpage says, 'By default, each user in Debian GNU/Linux is given a corresponding group with the same name and id.'

The Debian Reference Manual identifies some useful groups:

  • adm group can read logfiles.
  • staff membership is useful for helpdesk types or junior sysadmins, giving them the ability to do things in /usr/local and to create directories in /home.

The staff Group and /usr/local

It may not be obvious how this works, so here's an explanation. The reason that staff can create things in /usr/local is that its permissions are as follows: 

drwxrwsr-x    7 root     staff        4096 Feb  4 20:09 /usr/local/

The SGID bit means that any files created in /usr/local will automatically have the group staff.

Subdirectories of /usr/local, when created by root, have these permissions: 

drwxr-sr-x   12 root     staff        4096 Feb  4 21:21 /usr/local/apache/

Normally, non-executable files in /usr/local and its subdirectories have the following ownership and permissions: 

-rw-r--r--    1 root     staff     5021044 May  1  2002 /usr/local/src/bind-9.2.1.tar.gz

If you're in staff and you try to delete a file like the one above, rm will prompt you to confirm whether you want to delete a 'write-protected file'. If you answer yes, and the file is in a directory for which you have write permissions (like /usr/local), the file will be deleted. If you don't have write permissions for the directory, you'll get 'Permission denied'.

If you try to create a file in a directory for which you don't have write permissions (like /usr/local/src, above), you'll get 'Permission denied'.

The result is that anyone in staff can create, modify or delete files and directories directly under /usr/local, but not in subdirectories of /usr/local that were created by root.

For security reasons, the use of certain programs is restricted to members of the staff group; see StandardSecurity.

Changing a User's Groups

After you've created a user, you can add the user to one or more additional groups, using usermod, e.g.: 

sudo usermod -G adm,staff toni

to top
End of topic
Skip to action links | Back to top

Edit | Attach image or document | Printable version | Raw text | More topic actions
Revisions: | r1.4 | > | r1.3 | > | r1.2 | Total page history | Backlinks
You are here: Socialtools > ServerConfigStandard > StandardUsersGroups

to top

Copyright © 1999-2012 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Open-org? Send feedback