From stan.hearn at nscorp.com Wed Oct 1 16:30:48 2008 From: stan.hearn at nscorp.com (Hearn, Stan J.) Date: Wed, 01 Oct 2008 12:30:48 -0400 Subject: Primary and Supplementary Group Memberships In-Reply-To: <59B63035E89DEB4C99AB5ECC9C115BB701E1A17F@USATL01ME253.amer.lendlease.com> Message-ID: I'm under the impression that if an account has a primary group it doesn't need to be (or shouldn't be) listed in /etc/group as a member. I have some admins that want to put everyone in the /etc/group file. That way you'll have all group memberships in one place. I have a script that will generate a new report based on the /etc/group file with supplementary members and primary members from the /etc/passwd file. I'm wanting to use that when we need "everything in place" for some reason. I've always been under the impression that populating /etc/group with primary members is not desired. Why does RHEL out of the box, do this with system accounts? Is it just to keep things from breaking if someone decides to change the primary group for a system account? When you add a new user using the GUI and it creates a new GID, does it put the user in /etc/group even though it is it's primary group? For example from RHEL 5.2: /etc/shadow root:x:0:halt,operator,root,shutdown,sync bin:x:1:bin,daemon,root daemon:x:2:bin,daemon,root adm:x:4:adm,daemon,root lp:x:7:daemon,lp /etc/passwd root:x:0:0: bin:x:1:1: daemon:x:2:2: adm:x:3:4: lp:x:4:7: Thanks, Stan From Tim.Mooney at ndsu.edu Wed Oct 1 18:03:32 2008 From: Tim.Mooney at ndsu.edu (Tim Mooney) Date: Wed, 1 Oct 2008 13:03:32 -0500 (CDT) Subject: Primary and Supplementary Group Memberships In-Reply-To: References: Message-ID: In regard to: Primary and Supplementary Group Memberships, Hearn, Stan J....: > I'm under the impression that if an account has a primary group it > doesn't need to be (or shouldn't be) listed in /etc/group as a member. I just had this conversation with a new sysadmin here. You are definitely correct that you do not need to list someone in /etc/group in the case of their primary group. You *could*, but you don't need to. There are also good reasons not to. Line length in /etc/group being one. If you have a box with e.g. 10,000 users and most of them have the same default group, if you explicitly list each account on the line in /etc/group, you're eventually going to exceed a length limit for the line. Then, to get around that, you would need to list the same group multiple times, e.g. faculty:x:3200:usera,userb,userc,userd,... faculty:x:3200:user1001,user1002,user1003 etc. I would expect there will be a slight performance penalty for listing all your users in /etc/group too. nscd caching will negate some of that, but why pay the penalty in the first place, especially for a file that gets read a LOT? Linux doesn't have this problem, but at least on some UNIX platforms, if someone is listed on their primary group line in /etc/group, then the "groups" command would return a particular group twice -- once from /etc/passwd and once from /etc/group. > I have some admins that want to put everyone in the /etc/group file. > That way you'll have all group memberships in one place. You're trading one problem for another. Now you have a group synchronization issue. You'll have to take precautions to make certain that you keep the primary group from /etc/passwd in synch with the /etc/group file. > I have a > script that will generate a new report based on the /etc/group file with > supplementary members and primary members from the /etc/passwd file. > I'm wanting to use that when we need "everything in place" for some > reason. What's wrong with the "groups" command or getgroups(3)/getgrouplist(3)? > I've always been under the impression that populating /etc/group with > primary members is not desired. I would certainly agree with that. > Why does RHEL out of the box, do this with system accounts? That's a good question. I don't know. Tim -- Tim Mooney Tim.Mooney at ndsu.edu Enterprise Computing & Infrastructure 701-231-1076 (Voice) Room 242-J6, IACC Building 701-231-8541 (Fax) North Dakota State University, Fargo, ND 58105-5164 From stan.hearn at nscorp.com Wed Oct 1 18:20:58 2008 From: stan.hearn at nscorp.com (Hearn, Stan J.) Date: Wed, 01 Oct 2008 14:20:58 -0400 Subject: Primary and Supplementary Group Memberships In-Reply-To: Message-ID: Tim, Thank you for your reply. >> I have a >> script that will generate a new report based on the /etc/group file with >> supplementary members and primary members from the /etc/passwd file. >> I'm wanting to use that when we need "everything in place" for some >> reason. >What's wrong with the "groups" command or getgroups(3)/getgrouplist(3)? groups gives me the group memberships of a user. I want user memberships per group. I could not find a command that would give me all members (primary and supplementary) of a specific group. Is there one? I couldn't find one, so I wrote my own. For example. # members bin root bin daemon # You have given me great ideas that will hopefully allow me to squash this effort. Also I didn't know that I could have multiple lines in /etc/group. That's good to know. I'm finding it hard to defend since Redhat and possibly other distros populate /etc/group with primary members with system accounts. Thanks, Stan -----Original Message----- From: redhat-sysadmin-list-bounces at redhat.com [mailto:redhat-sysadmin-list-bounces at redhat.com] On Behalf Of Tim Mooney Sent: Wednesday, October 01, 2008 2:04 PM To: redhat-sysadmin-list at redhat.com Subject: Re: Primary and Supplementary Group Memberships In regard to: Primary and Supplementary Group Memberships, Hearn, Stan J....: > I'm under the impression that if an account has a primary group it > doesn't need to be (or shouldn't be) listed in /etc/group as a member. I just had this conversation with a new sysadmin here. You are definitely correct that you do not need to list someone in /etc/group in the case of their primary group. You *could*, but you don't need to. There are also good reasons not to. Line length in /etc/group being one. If you have a box with e.g. 10,000 users and most of them have the same default group, if you explicitly list each account on the line in /etc/group, you're eventually going to exceed a length limit for the line. Then, to get around that, you would need to list the same group multiple times, e.g. faculty:x:3200:usera,userb,userc,userd,... faculty:x:3200:user1001,user1002,user1003 etc. I would expect there will be a slight performance penalty for listing all your users in /etc/group too. nscd caching will negate some of that, but why pay the penalty in the first place, especially for a file that gets read a LOT? Linux doesn't have this problem, but at least on some UNIX platforms, if someone is listed on their primary group line in /etc/group, then the "groups" command would return a particular group twice -- once from /etc/passwd and once from /etc/group. > I have some admins that want to put everyone in the /etc/group file. > That way you'll have all group memberships in one place. You're trading one problem for another. Now you have a group synchronization issue. You'll have to take precautions to make certain that you keep the primary group from /etc/passwd in synch with the /etc/group file. > I have a > script that will generate a new report based on the /etc/group file with > supplementary members and primary members from the /etc/passwd file. > I'm wanting to use that when we need "everything in place" for some > reason. What's wrong with the "groups" command or getgroups(3)/getgrouplist(3)? > I've always been under the impression that populating /etc/group with > primary members is not desired. I would certainly agree with that. > Why does RHEL out of the box, do this with system accounts? That's a good question. I don't know. Tim -- Tim Mooney Tim.Mooney at ndsu.edu Enterprise Computing & Infrastructure 701-231-1076 (Voice) Room 242-J6, IACC Building 701-231-8541 (Fax) North Dakota State University, Fargo, ND 58105-5164 -- redhat-sysadmin-list mailing list redhat-sysadmin-list at redhat.com https://www.redhat.com/mailman/listinfo/redhat-sysadmin-list From lists at brimer.org Wed Oct 1 19:12:17 2008 From: lists at brimer.org (Barry Brimer) Date: Wed, 01 Oct 2008 14:12:17 -0500 Subject: Primary and Supplementary Group Memberships In-Reply-To: References: Message-ID: <1222888337.48e3cb91d177d@mail.toucanhost.com> Have you tried "getent group groupname"? Quoting "Hearn, Stan J." : > Tim, > > Thank you for your reply. > > >> I have a > >> script that will generate a new report based on the /etc/group file > with > >> supplementary members and primary members from the /etc/passwd file. > >> I'm wanting to use that when we need "everything in place" for some > >> reason. > > >What's wrong with the "groups" command or getgroups(3)/getgrouplist(3)? > > groups gives me the group memberships of a user. I want user > memberships per group. > > I could not find a command that would give me all members (primary and > supplementary) of a specific group. > Is there one? I couldn't find one, so I wrote my own. > > For example. > # members bin > root bin daemon > # > > You have given me great ideas that will hopefully allow me to squash > this effort. Also I didn't know that I could have multiple lines in > /etc/group. That's good to know. > > I'm finding it hard to defend since Redhat and possibly other distros > populate /etc/group with primary members with system accounts. > > Thanks, > Stan > > > > -----Original Message----- > From: redhat-sysadmin-list-bounces at redhat.com > [mailto:redhat-sysadmin-list-bounces at redhat.com] On Behalf Of Tim Mooney > Sent: Wednesday, October 01, 2008 2:04 PM > To: redhat-sysadmin-list at redhat.com > Subject: Re: Primary and Supplementary Group Memberships > > In regard to: Primary and Supplementary Group Memberships, Hearn, Stan > J....: > > > I'm under the impression that if an account has a primary group it > > doesn't need to be (or shouldn't be) listed in /etc/group as a member. > > I just had this conversation with a new sysadmin here. You are > definitely > correct that you do not need to list someone in /etc/group in the case > of > their primary group. You *could*, but you don't need to. > > There are also good reasons not to. Line length in /etc/group being > one. > If you have a box with e.g. 10,000 users and most of them have the same > default group, if you explicitly list each account on the line in > /etc/group, you're eventually going to exceed a length limit for the > line. > Then, to get around that, you would need to list the same group multiple > times, e.g. > > faculty:x:3200:usera,userb,userc,userd,... > faculty:x:3200:user1001,user1002,user1003 > > etc. > > I would expect there will be a slight performance penalty for listing > all your users in /etc/group too. nscd caching will negate some of > that, > but why pay the penalty in the first place, especially for a file that > gets read a LOT? > > Linux doesn't have this problem, but at least on some UNIX platforms, > if someone is listed on their primary group line in /etc/group, then > the "groups" command would return a particular group twice -- once > from /etc/passwd and once from /etc/group. > > > I have some admins that want to put everyone in the /etc/group file. > > That way you'll have all group memberships in one place. > > You're trading one problem for another. Now you have a group > synchronization issue. You'll have to take precautions to make certain > that you keep the primary group from /etc/passwd in synch with the > /etc/group file. > > > I have a > > script that will generate a new report based on the /etc/group file > with > > supplementary members and primary members from the /etc/passwd file. > > I'm wanting to use that when we need "everything in place" for some > > reason. > > What's wrong with the "groups" command or getgroups(3)/getgrouplist(3)? > > > I've always been under the impression that populating /etc/group with > > primary members is not desired. > > I would certainly agree with that. > > > Why does RHEL out of the box, do this with system accounts? > > That's a good question. I don't know. > > Tim > -- > Tim Mooney > Tim.Mooney at ndsu.edu > Enterprise Computing & Infrastructure 701-231-1076 > (Voice) > Room 242-J6, IACC Building 701-231-8541 > (Fax) > North Dakota State University, Fargo, ND 58105-5164 > > -- > redhat-sysadmin-list mailing list > redhat-sysadmin-list at redhat.com > https://www.redhat.com/mailman/listinfo/redhat-sysadmin-list > > -- > redhat-sysadmin-list mailing list > redhat-sysadmin-list at redhat.com > https://www.redhat.com/mailman/listinfo/redhat-sysadmin-list > > !DSPAM:48e3c526177971209621185! > > From stan.hearn at nscorp.com Wed Oct 1 19:59:20 2008 From: stan.hearn at nscorp.com (Hearn, Stan J.) Date: Wed, 01 Oct 2008 15:59:20 -0400 Subject: Primary and Supplementary Group Memberships In-Reply-To: <1222888337.48e3cb91d177d@mail.toucanhost.com> Message-ID: Quoting "Barry Brimer" >Have you tried "getent group groupname"? No I haven't until now. That's exacly what I need. I just need an equivalent for Solaris and AIX in our environment or I'll just use my custom script. Thanks, Stan -----Original Message----- From: redhat-sysadmin-list-bounces at redhat.com [mailto:redhat-sysadmin-list-bounces at redhat.com] On Behalf Of Barry Brimer Sent: Wednesday, October 01, 2008 3:12 PM To: redhat-sysadmin-list at redhat.com Subject: RE: Primary and Supplementary Group Memberships Have you tried "getent group groupname"? Quoting "Hearn, Stan J." : > Tim, > > Thank you for your reply. > > >> I have a > >> script that will generate a new report based on the /etc/group file > with > >> supplementary members and primary members from the /etc/passwd file. > >> I'm wanting to use that when we need "everything in place" for some > >> reason. > > >What's wrong with the "groups" command or getgroups(3)/getgrouplist(3)? > > groups gives me the group memberships of a user. I want user > memberships per group. > > I could not find a command that would give me all members (primary and > supplementary) of a specific group. > Is there one? I couldn't find one, so I wrote my own. > > For example. > # members bin > root bin daemon > # > > You have given me great ideas that will hopefully allow me to squash > this effort. Also I didn't know that I could have multiple lines in > /etc/group. That's good to know. > > I'm finding it hard to defend since Redhat and possibly other distros > populate /etc/group with primary members with system accounts. > > Thanks, > Stan > > > > -----Original Message----- > From: redhat-sysadmin-list-bounces at redhat.com > [mailto:redhat-sysadmin-list-bounces at redhat.com] On Behalf Of Tim Mooney > Sent: Wednesday, October 01, 2008 2:04 PM > To: redhat-sysadmin-list at redhat.com > Subject: Re: Primary and Supplementary Group Memberships > > In regard to: Primary and Supplementary Group Memberships, Hearn, Stan > J....: > > > I'm under the impression that if an account has a primary group it > > doesn't need to be (or shouldn't be) listed in /etc/group as a member. > > I just had this conversation with a new sysadmin here. You are > definitely > correct that you do not need to list someone in /etc/group in the case > of > their primary group. You *could*, but you don't need to. > > There are also good reasons not to. Line length in /etc/group being > one. > If you have a box with e.g. 10,000 users and most of them have the same > default group, if you explicitly list each account on the line in > /etc/group, you're eventually going to exceed a length limit for the > line. > Then, to get around that, you would need to list the same group multiple > times, e.g. > > faculty:x:3200:usera,userb,userc,userd,... > faculty:x:3200:user1001,user1002,user1003 > > etc. > > I would expect there will be a slight performance penalty for listing > all your users in /etc/group too. nscd caching will negate some of > that, > but why pay the penalty in the first place, especially for a file that > gets read a LOT? > > Linux doesn't have this problem, but at least on some UNIX platforms, > if someone is listed on their primary group line in /etc/group, then > the "groups" command would return a particular group twice -- once > from /etc/passwd and once from /etc/group. > > > I have some admins that want to put everyone in the /etc/group file. > > That way you'll have all group memberships in one place. > > You're trading one problem for another. Now you have a group > synchronization issue. You'll have to take precautions to make certain > that you keep the primary group from /etc/passwd in synch with the > /etc/group file. > > > I have a > > script that will generate a new report based on the /etc/group file > with > > supplementary members and primary members from the /etc/passwd file. > > I'm wanting to use that when we need "everything in place" for some > > reason. > > What's wrong with the "groups" command or getgroups(3)/getgrouplist(3)? > > > I've always been under the impression that populating /etc/group with > > primary members is not desired. > > I would certainly agree with that. > > > Why does RHEL out of the box, do this with system accounts? > > That's a good question. I don't know. > > Tim > -- > Tim Mooney > Tim.Mooney at ndsu.edu > Enterprise Computing & Infrastructure 701-231-1076 > (Voice) > Room 242-J6, IACC Building 701-231-8541 > (Fax) > North Dakota State University, Fargo, ND 58105-5164 > > -- > redhat-sysadmin-list mailing list > redhat-sysadmin-list at redhat.com > https://www.redhat.com/mailman/listinfo/redhat-sysadmin-list > > -- > redhat-sysadmin-list mailing list > redhat-sysadmin-list at redhat.com > https://www.redhat.com/mailman/listinfo/redhat-sysadmin-list > > !DSPAM:48e3c526177971209621185! > > -- redhat-sysadmin-list mailing list redhat-sysadmin-list at redhat.com https://www.redhat.com/mailman/listinfo/redhat-sysadmin-list From Tim.Mooney at ndsu.edu Wed Oct 1 21:50:21 2008 From: Tim.Mooney at ndsu.edu (Tim Mooney) Date: Wed, 1 Oct 2008 16:50:21 -0500 (CDT) Subject: Primary and Supplementary Group Memberships In-Reply-To: <1222888337.48e3cb91d177d@mail.toucanhost.com> References: <1222888337.48e3cb91d177d@mail.toucanhost.com> Message-ID: In regard to: RE: Primary and Supplementary Group Memberships, Barry Brimer...: > Have you tried "getent group groupname"? That's a great tip, but it won't do what Stan wants, because it only essentially outputs the line from /etc/group. It doesn't list anyone that has their primary group set via /etc/passwd. For example: 04:28 PM obelisk ~$getent group faculty faculty:x:3200: 04:28 PM obelisk ~$groups faculty log local sysadmin I'm not aware of a single command that does what Stan wants. The "members" command he wrote sounds like the way to go. Tim > Quoting "Hearn, Stan J." : > >> Tim, >> >> Thank you for your reply. >> >>>> I have a >>>> script that will generate a new report based on the /etc/group file >> with >>>> supplementary members and primary members from the /etc/passwd file. >>>> I'm wanting to use that when we need "everything in place" for some >>>> reason. >> >>> What's wrong with the "groups" command or getgroups(3)/getgrouplist(3)? >> >> groups gives me the group memberships of a user. I want user >> memberships per group. >> >> I could not find a command that would give me all members (primary and >> supplementary) of a specific group. >> Is there one? I couldn't find one, so I wrote my own. >> >> For example. >> # members bin >> root bin daemon >> # >> >> You have given me great ideas that will hopefully allow me to squash >> this effort. Also I didn't know that I could have multiple lines in >> /etc/group. That's good to know. >> >> I'm finding it hard to defend since Redhat and possibly other distros >> populate /etc/group with primary members with system accounts. >> >> Thanks, >> Stan >> >> >> >> -----Original Message----- >> From: redhat-sysadmin-list-bounces at redhat.com >> [mailto:redhat-sysadmin-list-bounces at redhat.com] On Behalf Of Tim Mooney >> Sent: Wednesday, October 01, 2008 2:04 PM >> To: redhat-sysadmin-list at redhat.com >> Subject: Re: Primary and Supplementary Group Memberships >> >> In regard to: Primary and Supplementary Group Memberships, Hearn, Stan >> J....: >> >>> I'm under the impression that if an account has a primary group it >>> doesn't need to be (or shouldn't be) listed in /etc/group as a member. >> >> I just had this conversation with a new sysadmin here. You are >> definitely >> correct that you do not need to list someone in /etc/group in the case >> of >> their primary group. You *could*, but you don't need to. >> >> There are also good reasons not to. Line length in /etc/group being >> one. >> If you have a box with e.g. 10,000 users and most of them have the same >> default group, if you explicitly list each account on the line in >> /etc/group, you're eventually going to exceed a length limit for the >> line. >> Then, to get around that, you would need to list the same group multiple >> times, e.g. >> >> faculty:x:3200:usera,userb,userc,userd,... >> faculty:x:3200:user1001,user1002,user1003 >> >> etc. >> >> I would expect there will be a slight performance penalty for listing >> all your users in /etc/group too. nscd caching will negate some of >> that, >> but why pay the penalty in the first place, especially for a file that >> gets read a LOT? >> >> Linux doesn't have this problem, but at least on some UNIX platforms, >> if someone is listed on their primary group line in /etc/group, then >> the "groups" command would return a particular group twice -- once >> from /etc/passwd and once from /etc/group. >> >>> I have some admins that want to put everyone in the /etc/group file. >>> That way you'll have all group memberships in one place. >> >> You're trading one problem for another. Now you have a group >> synchronization issue. You'll have to take precautions to make certain >> that you keep the primary group from /etc/passwd in synch with the >> /etc/group file. >> >>> I have a >>> script that will generate a new report based on the /etc/group file >> with >>> supplementary members and primary members from the /etc/passwd file. >>> I'm wanting to use that when we need "everything in place" for some >>> reason. >> >> What's wrong with the "groups" command or getgroups(3)/getgrouplist(3)? >> >>> I've always been under the impression that populating /etc/group with >>> primary members is not desired. >> >> I would certainly agree with that. >> >>> Why does RHEL out of the box, do this with system accounts? >> >> That's a good question. I don't know. >> >> Tim >> -- >> Tim Mooney >> Tim.Mooney at ndsu.edu >> Enterprise Computing & Infrastructure 701-231-1076 >> (Voice) >> Room 242-J6, IACC Building 701-231-8541 >> (Fax) >> North Dakota State University, Fargo, ND 58105-5164 >> >> -- >> redhat-sysadmin-list mailing list >> redhat-sysadmin-list at redhat.com >> https://www.redhat.com/mailman/listinfo/redhat-sysadmin-list >> >> -- >> redhat-sysadmin-list mailing list >> redhat-sysadmin-list at redhat.com >> https://www.redhat.com/mailman/listinfo/redhat-sysadmin-list >> >> !DSPAM:48e3c526177971209621185! >> >> > > > > -- > redhat-sysadmin-list mailing list > redhat-sysadmin-list at redhat.com > https://www.redhat.com/mailman/listinfo/redhat-sysadmin-list > -- Tim Mooney Tim.Mooney at ndsu.edu Enterprise Computing & Infrastructure 701-231-1076 (Voice) Room 242-J6, IACC Building 701-231-8541 (Fax) North Dakota State University, Fargo, ND 58105-5164 From mark at dfk-systems.com Wed Oct 1 22:22:31 2008 From: mark at dfk-systems.com (Mark Waterhouse) Date: Wed, 01 Oct 2008 23:22:31 +0100 Subject: Primary and Supplementary Group Memberships In-Reply-To: References: Message-ID: <1222899751.6034.3.camel@laptop> On Wed, 2008-10-01 at 15:59 -0400, Hearn, Stan J. wrote: > Quoting "Barry Brimer" > >Have you tried "getent group groupname"? > > No I haven't until now. That's exacly what I need. > > I just need an equivalent for Solaris and AIX in our environment or I'll > just use my custom script. > getent is available for Solaris (at least according to http://www.softpanorama.org/Net/Netutils/solaris_getent.shtml) Havent found anything for AIX though I'm afraid. Mark -- This message has been scanned for viruses and dangerous content by DFK Systems Limited, and is believed to be clean. To report this message as spam, please click on this link - https://secure.dfk-systems.com/quarantine/spam.php?srv=01&id=m91MMVMA012199 From CHort at caed.uscourts.gov Wed Oct 1 23:04:23 2008 From: CHort at caed.uscourts.gov (CHort at caed.uscourts.gov) Date: Wed, 1 Oct 2008 16:04:23 -0700 Subject: Cheree Hort/CAED/09/USCOURTS is out of the office. Message-ID: I will be out of the office starting 10/01/2008 and will not return until 10/07/2008. If you require immediate assistance, please contact Technical Support at 916-930-4335. Thanks and have a great day!