creating all users with one primary group?

Joel Rees joel.rees at gmail.com
Sat Dec 31 16:04:47 UTC 2011 

On Sat, Dec 31, 2011 at 9:29 PM, Frantisek Hanzlik <franta at hanzlici.cz> wrote:
> Has anyone experience with situation, when all users on Fedora
> distro have same primary group (i.e. is not created extra group
> for every user?

It's common in some distributions.

(Mac OS X, 10.0 - 10.2 had a common "staff" group into which all login
users went. From 10.3, I think, they went with making a primary group
per user. Of course, that's BSD, no Linux.)

> Namely I'm asking when all programs will be working without problems.
> I want use for all users predefined group "users" (GID=100), which
> seems be intended for that situation; in "/etc/default/useradd" is
> this group defined.

I think that group has been used both ways, actually -- primary or
secondary group for login users. Diferent requirements do different
things there.

> I'm little confused from two things too:
>
> - according to useradd man page, USERGROUPS_ENAB variable in
> "/etc/login.defs" controls, when by default will be for users created
> their own primary group or not. Thus set "USERGROUPS_ENAB no" should
> disable this "feature". But in this file on Fedora distros
> (F14-F16) is weird comment
> "This enables userdel to remove user groups if no members exist"

According to some admin techniques, which are not universal. The
"user" series of user admin tools are by no means the only ways to
manage users.

> - "/etc/login.defs" defines variable "GID_MIN  500". In F16 are min
> UID/GID raised to 1000 and arrives two new variables
> SYS_UID_MIN     201
> SYS_UID_MAX     999

Which seems both sensible and weird to me.

Sensible because it's nice to have lots of headroom for inventing
system users, and weird because it wasn't so long since they added
GID_MIN and set it at 500, and made the associated move from masking
users out of the login dialog by their login shell to masking them out
by lack of password -- which looks to me like a vulnerability just
waiting to happen.

> Poses this that what GID=100 are still "normal user" GID and may be
> used as primary (and only) user group ID?

Probably something they forgot to change. On the other hand, if you
have a default user group, whether assigned primary or secondary, you
don't want to ever assign a login user the same uid number.

> Thanks, Franta

--
Joel Rees

More information about the users mailing list