Primary and Supplementary Group Memberships

Tim Mooney Tim.Mooney at ndsu.edu
Wed Oct 1 18:03:32 UTC 2008 

In regard to: Primary and Supplementary Group Memberships, Hearn, Stan J....:

> I'm under the impression that if an account has a primary group it
> doesn't need to be (or shouldn't be) listed in /etc/group as a member.

I just had this conversation with a new sysadmin here.  You are definitely
correct that you do not need to list someone in /etc/group in the case of
their primary group.  You *could*, but you don't need to.

There are also good reasons not to.  Line length in /etc/group being one.
If you have a box with e.g. 10,000 users and most of them have the same
default group, if you explicitly list each account on the line in
/etc/group, you're eventually going to exceed a length limit for the line.
Then, to get around that, you would need to list the same group multiple
times, e.g.

faculty:x:3200:usera,userb,userc,userd,...
faculty:x:3200:user1001,user1002,user1003

etc.

I would expect there will be a slight performance penalty for listing
all your users in /etc/group too.  nscd caching will negate some of that,
but why pay the penalty in the first place, especially for a file that
gets read a LOT?

Linux doesn't have this problem, but at least on some UNIX platforms,
if someone is listed on their primary group line in /etc/group, then
the "groups" command would return a particular group twice -- once
from /etc/passwd and once from /etc/group.

> I have some admins that want to put everyone in the /etc/group file.
> That way you'll have all group memberships in one place.

You're trading one problem for another.  Now you have a group
synchronization issue.  You'll have to take precautions to make certain
that you keep the primary group from /etc/passwd in synch with the
/etc/group file.

>  I have a
> script that will generate a new report based on the /etc/group file with
> supplementary members and primary members from the /etc/passwd file.
> I'm wanting to use that when we need "everything in place" for some
> reason.

What's wrong with the "groups" command or getgroups(3)/getgrouplist(3)?

> I've always been under the impression that populating /etc/group with
> primary members is not desired.

I would certainly agree with that.

> Why does RHEL out of the box, do this with system accounts?

That's a good question.  I don't know.

Tim
-- 
Tim Mooney                                             Tim.Mooney at ndsu.edu
Enterprise Computing & Infrastructure                  701-231-1076 (Voice)
Room 242-J6, IACC Building                             701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164

More information about the redhat-sysadmin-list mailing list