A User's Guide to Unix Group Management
ABSTRACT
In the interest of making life easier for everyone,
the CSE Lab has developed a software suite, collec-
tively known as GrpAdmin, that allows user-level man-
agement of Unix groups and group memberships. We begin
by explaining traditional group management procedures,
then describe a new methodology and its benefits. A
concluding section provides examples of using the new
software.
1. Traditional Methods of Group Management
Unix groups can be a powerful tool for file protection and shar-
ing. However the usual techniques for managing groups are cumber-
some. Traditionally, groups are manipulated by editing specific
files. Access to these files is limited to administrative "super
users" since the access is all or nothing: the capability to
change one group implies the ability to change all groupd in
arbitrary ways. Therefore group creation, membership changes and
group removal require indirection through support staff who are
sufficiently trusted to actually perform those operations. Indi-
rection means sending mail, waiting for a reply, discovering that
you forgot something or want to make yet another change and then
going through the whole process again. There are also delays in
updates taking noticeable effect due to the manner in which they
are propagated.
An additional shortcoming of traditional group usage is that the
underlying operating system imposes a limit on the number of
groups simultaneously associated with a user. Once this limit is
reached, a user cannot join a new group until some old member-
ship(s) are removed.
In an effort to make groups more generally useful, the GrpAdmin
software allows "regular" users to manage groups in a cont�_rolled
manner. For most practical purposes changes made using | A take
immediate effect, reducing delays in making use of new group mem-
berships. In addition, a user has effective access to an essen-
tially unlimited number of group memberships.
2. A More Flexible Model of Group Management
The new software implements a model of group management based on
the concept of ownership. An unprivileged user owning a group
can add or remove members from that group. Users also own their
individual group memberships. If a person no longer needs to be
a group member, he/she can delete that membership. Alterna-
tively, such a membership can be changed to a status where group
access is still possible but is not associated with the user as a
default "login group"; this status allows exercising rights to a
number of groups that exceeds operating system imposed limit. The
authorization hierarchy is given in Table 1.
+--------------++------------------------------------+
| Operation || Privilege Level |
+--------------++-------+-------------+--------------+
| Add/Delete ||Admin. | Group Owner | Group Member |
+--------------++-------+-------------+--------------+
| Group || Yes | No | No |
| Owner || Yes | Yes | No |
| Membership || Yes | Yes | Delete self |
|"Login Group" || Yes | No | Yes (self) |
+--------------++-------+-------------+--------------+
Information regarding group ownerships and memberships is stored
in an SQL database. The database contents are periodically con-
verted to the flat files usually associated with Unix group
information. However, these files are used as the equivalent of
a local cache. In the absence of cached information related to
group membership, the database is consulted directly. Thus
updates to group ownership and membership are effectively instan-
taneous.
In addition to provision for user-managed ownership and member-
ship, group information now includes expiration dates for use
with temporary groups and the concept of a master group. When a
new group is created, the requestor can give an expiration date
on which the group and all its membership and ownership informa-
tion will automatically be deleted. The group requestor can also
specify that a new group be associated with a master group. The
new group will then automatically inherit the expiration date and
ownership list of the master group.
3. What Is It Good For?
A few examples illustrate the utility of the new procedures:
a. You are teaching a class where students work as teams on
individual projects. Each team is in a separate Unix group
to restrict file access across teams. However you, as the
instructor, need to see the work of all teams. This means
that you must be a member of each team's group and thus can
be afflicted by the "group overflow" problem.
Using the new group database utility chgrpsh you can selec-
tively and temporarily exercise access any or all team
groups.
b. Same situation as (a). Only this time it is the first week
of the quarter and you are trying to organize the class
teams. Students change teams, new students sign up, others
drop out. All of which would normally necessitate e-mail
exchanges with administrators.
Using the new software you add or remove team group members
directly. Alternatively (and perhaps more importantly) you
can delegate your TA(s) to perform these tiresome functions.
Obviously, this functionality extends to groups used for
research projects.
c. You need to become a member of a new group. But the new mem-
bership will put you over the maximum group limit. Using the
new software you can either permanently remove membership in
groups you do not use. Or you can change them to non-login
groups and later use the chgrpsh utility to access them when
necessary.
4. Using the Group Administration Software
There are three different interfaces to group management func-
tions:
1. A Unix command line tool called grpadmin. Grpadmin can be
used either interactively, in batch mode or via command line
arguments. The syntax of commands is:
grpadmin operation-name object [ ...parameters... ]
Typical examples of operations are:
grpadmin addmember group-name -who user-list
grpadmin listowned user-list
grpadmin showowners group-name-list
grpadmin addlogin group-name -who user-list
grpadmin listugrps user-list
grpadmin renamegrp group-name -to group-name
A complete description grpadmin commands, their effects and
arguments (including wild-carding) can be found at:
http://www.cs.washington.edu/lab/GrpAdmin/grpadmin.html
2. Grpadmin is also accessible on the Web at
http://weblogin.cs.washington.edu/cgi-bin/grpadmin.cgi
This introductory page contains links to CGI scripts that
implement the four main group administration functions: group
creation and deletion, manipulating group ownerships, chang-
ing group memberships and arranging default login groups.
There is a page for each of these functions with the usual
web form and action buttons.
Be advised that, due to the connectionless nature of Web
interactions, performance is somewhat less than that of the
other interfaces.
3. The third interface, xgrpadmin uses the X Window System. The
screen organization of xgrpadmin closely mirrors that of the
GrpAdmin web page. However, it is possible have several
functional panels in use simultaneously. The interface
includes on-line help. See
http://www.cs.washington.edu/lab/GrpAdmin/xgrpadmin.html
for more information on xgrpadmin.
The GrpAdmin software attempts to be as "transactional" as possi-
ble. That is, either everything that you intended to do is
accomplished or none of it is. Thus, if you provide a list of
names as a parameter and one of those names causes an error
(e.g., attempting to add a user to a group of which they are
already a member), no changes will have occurred.
4.1. Chgrpsh
The GrpAdmin utility chgrpsh is used to exercise exercise privi-
leges for groups that are not part of a user's default login
group set. You give chgrpsh a list of groups that you wish to as-
sociate with (or disassociate from) a process. Chgrpsh verifies
your membership in the given groups and then creates a process
(by default your usual shell program) using those groups. As an
example:
chgrpsh -www -zpl -admin +cse451a +cse451b +cse451c
will create a new shell in which the groups www, zpl and admin
groups have been replaced with three cse451 section groups. If
is not necessary to replace process groups unless the number new
groups would cause the process the exceed the OS maximum. You can
also give a single command after the group list to be run instead
of the default interactive shell.
Chgrpsh initially interogates local /etc/group-format files to
determine group memberships. If a given group cannot be found in
these "caches", chgrpsh will query the group membership database.
This behavior allows users to short-cut the propagation delay of
/etc/group files created from database content. However, query-
ing the database requires that you valid Kerberos credentials.
5. Changes to Support Operations
Use of the group administration software will reduce the load on
the CSE Support group. It will also substantially decrease the
turnaround time for group membership changes. These improvements
are achieved by distributing the burden of group management
across a large number of users who have substantial self-interest
in maintaining specific groups.
To ensure that these goals are met, the following rules regarding
interaction with the Support group will be enforced:
1. If you request that a group or group be created, you will be
made the owner of those groups. From that point on, all
changes to ownership and membership of the group(s) will be
your responsibility.
2. If you currently "own" a project-related group under the old
regime (the definition of ownership here is that you have
made repeated requests for membership changes in a particular
group), you will made the official owner of that group. From
that point on, all changes to ownership and membership of the
group(s) will be your responsibility.
3. If you are the instructor of a class with existing associated
groups, you will be made the owner of such groups. From that
point on, all changes to ownership and membership of the
group(s) will be your responsibility.
These rules may at first glance appear annoyingly different from
the previous e-mail request method. However, the added burden on
individual users is relatively small and more than compensated
for by increased flexibility and reduction in delays and misun-
derstandings.
6. Frequently Asked Questions
Why can't I directly create and/or delete groups?
1. The number of groups available is finite. The fear is that
if many people are allowed to create groups whenever the
mood strikes we will exceed the maximum number of numeric
group identifiers available; for security reasons these
identifiers are not recyled when a group is deleted.
2. It is handy for support personnel to know why a group is
created and what its use is.
3. Groups are used for file access protection. Which means
that deleting a group requires tidying up the files associ-
ated with that group.
If you wish to create or delete a group, send a request to sup-
port@cs.
I added Farnsworth as member of group FOOBAR, but when he/she
logs in, he/she is not in that group. What gives?
The three most likely reasons for this behavior are:
1. There is a delay (usually about 2-4 hours) between changing
membership or login group status and those changes propa-
gating to all the Unix machines in the department. This is
because it is not worth the trouble to rewrite every Unix
application to consult that backend database rather the
normal "flat files" or NIS servers.
2. Farnsworth hasn't actually logged out and logged back in
again since the change propagated. Process group associa-
tions are established only at login time (but cf. chgrpsh
above). Note that this restriction also applies if you are
trying to remove yourself or someone else from a group.
3. Farnsworth may have too many existing group memeberships
for the new group to be added as a default login group.
You, as the group owner, have no control over this situa-
tion. It is up to Farnsworth to arrange his/her login
groups by using one of the GrpAdmin interfaces.
I am a member of group FOO and 'chgrpsh +FOO' worked fine. But
when I type 'chgrp FOO file' it complains of an invalid group
name.
+�o Changes to group ownerships and memberships are a function
of the database only and are effectively instantaneous when
using GrpAdmin programs. However, as mentioned above it
can take a while for the group files that Unix programs use
to propagate. This means that it takes some time for sym-
bolic group names to become available. If you run the
groups(1) command from your chgrpsh shell you will almost
certainly a list of names and a number. That number repre-
sents the group FOO. Therefore, use 'chgrp FOO-number
file' to change the file group. The group name will catch
up with you eventually.
I tried to run one of the group management interfaces and it mut-
ters something about "no credentials cache found".
+�o The non-Web interfaces require you to have Kerberos authen-
tication credentials. Generally you get these by default
when you login directly to a Unix system. But if you
rlogin from one machine to another, those credentials will
not follow you around by default. In order for that to
happen, you must acquire a "forwardable" ticket and use
rlogin -f to login to a remote machine. See the standard
Kerberos documentation for details.