A User's Guide to Unix Group Management ABSTRACT In the interest of making life easier for everyone, the CSE Lab has developed a software suite, collec- tively known as GrpAdmin, that allows user-level man- agement of Unix groups and group memberships. We begin by explaining traditional group management procedures, then describe a new methodology and its benefits. A concluding section provides examples of using the new software. 1. Traditional Methods of Group Management Unix groups can be a powerful tool for file protection and shar- ing. However the usual techniques for managing groups are cumber- some. Traditionally, groups are manipulated by editing specific files. Access to these files is limited to administrative "super users" since the access is all or nothing: the capability to change one group implies the ability to change all groupd in arbitrary ways. Therefore group creation, membership changes and group removal require indirection through support staff who are sufficiently trusted to actually perform those operations. Indi- rection means sending mail, waiting for a reply, discovering that you forgot something or want to make yet another change and then going through the whole process again. There are also delays in updates taking noticeable effect due to the manner in which they are propagated. An additional shortcoming of traditional group usage is that the underlying operating system imposes a limit on the number of groups simultaneously associated with a user. Once this limit is reached, a user cannot join a new group until some old member- ship(s) are removed. In an effort to make groups more generally useful, the GrpAdmin software allows "regular" users to manage groups in a cont_rolled manner. For most practical purposes changes made using | A take immediate effect, reducing delays in making use of new group mem- berships. In addition, a user has effective access to an essen- tially unlimited number of group memberships. 2. A More Flexible Model of Group Management The new software implements a model of group management based on the concept of ownership. An unprivileged user owning a group can add or remove members from that group. Users also own their individual group memberships. If a person no longer needs to be a group member, he/she can delete that membership. Alterna- tively, such a membership can be changed to a status where group access is still possible but is not associated with the user as a default "login group"; this status allows exercising rights to a number of groups that exceeds operating system imposed limit. The authorization hierarchy is given in Table 1. +--------------++------------------------------------+ | Operation || Privilege Level | +--------------++-------+-------------+--------------+ | Add/Delete ||Admin. | Group Owner | Group Member | +--------------++-------+-------------+--------------+ | Group || Yes | No | No | | Owner || Yes | Yes | No | | Membership || Yes | Yes | Delete self | |"Login Group" || Yes | No | Yes (self) | +--------------++-------+-------------+--------------+ Information regarding group ownerships and memberships is stored in an SQL database. The database contents are periodically con- verted to the flat files usually associated with Unix group information. However, these files are used as the equivalent of a local cache. In the absence of cached information related to group membership, the database is consulted directly. Thus updates to group ownership and membership are effectively instan- taneous. In addition to provision for user-managed ownership and member- ship, group information now includes expiration dates for use with temporary groups and the concept of a master group. When a new group is created, the requestor can give an expiration date on which the group and all its membership and ownership informa- tion will automatically be deleted. The group requestor can also specify that a new group be associated with a master group. The new group will then automatically inherit the expiration date and ownership list of the master group. 3. What Is It Good For? A few examples illustrate the utility of the new procedures: a. You are teaching a class where students work as teams on individual projects. Each team is in a separate Unix group to restrict file access across teams. However you, as the instructor, need to see the work of all teams. This means that you must be a member of each team's group and thus can be afflicted by the "group overflow" problem. Using the new group database utility chgrpsh you can selec- tively and temporarily exercise access any or all team groups. b. Same situation as (a). Only this time it is the first week of the quarter and you are trying to organize the class teams. Students change teams, new students sign up, others drop out. All of which would normally necessitate e-mail exchanges with administrators. Using the new software you add or remove team group members directly. Alternatively (and perhaps more importantly) you can delegate your TA(s) to perform these tiresome functions. Obviously, this functionality extends to groups used for research projects. c. You need to become a member of a new group. But the new mem- bership will put you over the maximum group limit. Using the new software you can either permanently remove membership in groups you do not use. Or you can change them to non-login groups and later use the chgrpsh utility to access them when necessary. 4. Using the Group Administration Software There are three different interfaces to group management func- tions: 1. A Unix command line tool called grpadmin. Grpadmin can be used either interactively, in batch mode or via command line arguments. The syntax of commands is: grpadmin operation-name object [ ...parameters... ] Typical examples of operations are: grpadmin addmember group-name -who user-list grpadmin listowned user-list grpadmin showowners group-name-list grpadmin addlogin group-name -who user-list grpadmin listugrps user-list grpadmin renamegrp group-name -to group-name A complete description grpadmin commands, their effects and arguments (including wild-carding) can be found at: http://www.cs.washington.edu/lab/GrpAdmin/grpadmin.html 2. Grpadmin is also accessible on the Web at http://weblogin.cs.washington.edu/cgi-bin/grpadmin.cgi This introductory page contains links to CGI scripts that implement the four main group administration functions: group creation and deletion, manipulating group ownerships, chang- ing group memberships and arranging default login groups. There is a page for each of these functions with the usual web form and action buttons. Be advised that, due to the connectionless nature of Web interactions, performance is somewhat less than that of the other interfaces. 3. The third interface, xgrpadmin uses the X Window System. The screen organization of xgrpadmin closely mirrors that of the GrpAdmin web page. However, it is possible have several functional panels in use simultaneously. The interface includes on-line help. See http://www.cs.washington.edu/lab/GrpAdmin/xgrpadmin.html for more information on xgrpadmin. The GrpAdmin software attempts to be as "transactional" as possi- ble. That is, either everything that you intended to do is accomplished or none of it is. Thus, if you provide a list of names as a parameter and one of those names causes an error (e.g., attempting to add a user to a group of which they are already a member), no changes will have occurred. 4.1. Chgrpsh The GrpAdmin utility chgrpsh is used to exercise exercise privi- leges for groups that are not part of a user's default login group set. You give chgrpsh a list of groups that you wish to as- sociate with (or disassociate from) a process. Chgrpsh verifies your membership in the given groups and then creates a process (by default your usual shell program) using those groups. As an example: chgrpsh -www -zpl -admin +cse451a +cse451b +cse451c will create a new shell in which the groups www, zpl and admin groups have been replaced with three cse451 section groups. If is not necessary to replace process groups unless the number new groups would cause the process the exceed the OS maximum. You can also give a single command after the group list to be run instead of the default interactive shell. Chgrpsh initially interogates local /etc/group-format files to determine group memberships. If a given group cannot be found in these "caches", chgrpsh will query the group membership database. This behavior allows users to short-cut the propagation delay of /etc/group files created from database content. However, query- ing the database requires that you valid Kerberos credentials. 5. Changes to Support Operations Use of the group administration software will reduce the load on the CSE Support group. It will also substantially decrease the turnaround time for group membership changes. These improvements are achieved by distributing the burden of group management across a large number of users who have substantial self-interest in maintaining specific groups. To ensure that these goals are met, the following rules regarding interaction with the Support group will be enforced: 1. If you request that a group or group be created, you will be made the owner of those groups. From that point on, all changes to ownership and membership of the group(s) will be your responsibility. 2. If you currently "own" a project-related group under the old regime (the definition of ownership here is that you have made repeated requests for membership changes in a particular group), you will made the official owner of that group. From that point on, all changes to ownership and membership of the group(s) will be your responsibility. 3. If you are the instructor of a class with existing associated groups, you will be made the owner of such groups. From that point on, all changes to ownership and membership of the group(s) will be your responsibility. These rules may at first glance appear annoyingly different from the previous e-mail request method. However, the added burden on individual users is relatively small and more than compensated for by increased flexibility and reduction in delays and misun- derstandings. 6. Frequently Asked Questions Why can't I directly create and/or delete groups? 1. The number of groups available is finite. The fear is that if many people are allowed to create groups whenever the mood strikes we will exceed the maximum number of numeric group identifiers available; for security reasons these identifiers are not recyled when a group is deleted. 2. It is handy for support personnel to know why a group is created and what its use is. 3. Groups are used for file access protection. Which means that deleting a group requires tidying up the files associ- ated with that group. If you wish to create or delete a group, send a request to sup- port@cs. I added Farnsworth as member of group FOOBAR, but when he/she logs in, he/she is not in that group. What gives? The three most likely reasons for this behavior are: 1. There is a delay (usually about 2-4 hours) between changing membership or login group status and those changes propa- gating to all the Unix machines in the department. This is because it is not worth the trouble to rewrite every Unix application to consult that backend database rather the normal "flat files" or NIS servers. 2. Farnsworth hasn't actually logged out and logged back in again since the change propagated. Process group associa- tions are established only at login time (but cf. chgrpsh above). Note that this restriction also applies if you are trying to remove yourself or someone else from a group. 3. Farnsworth may have too many existing group memeberships for the new group to be added as a default login group. You, as the group owner, have no control over this situa- tion. It is up to Farnsworth to arrange his/her login groups by using one of the GrpAdmin interfaces. I am a member of group FOO and 'chgrpsh +FOO' worked fine. But when I type 'chgrp FOO file' it complains of an invalid group name. +o Changes to group ownerships and memberships are a function of the database only and are effectively instantaneous when using GrpAdmin programs. However, as mentioned above it can take a while for the group files that Unix programs use to propagate. This means that it takes some time for sym- bolic group names to become available. If you run the groups(1) command from your chgrpsh shell you will almost certainly a list of names and a number. That number repre- sents the group FOO. Therefore, use 'chgrp FOO-number file' to change the file group. The group name will catch up with you eventually. I tried to run one of the group management interfaces and it mut- ters something about "no credentials cache found". +o The non-Web interfaces require you to have Kerberos authen- tication credentials. Generally you get these by default when you login directly to a Unix system. But if you rlogin from one machine to another, those credentials will not follow you around by default. In order for that to happen, you must acquire a "forwardable" ticket and use rlogin -f to login to a remote machine. See the standard Kerberos documentation for details.