Primary and Supplementary Group Memberships
Hearn, Stan J.
stan.hearn at nscorp.com
Wed Oct 1 18:20:58 UTC 2008
Tim,
Thank you for your reply.
>> I have a
>> script that will generate a new report based on the /etc/group file
with
>> supplementary members and primary members from the /etc/passwd file.
>> I'm wanting to use that when we need "everything in place" for some
>> reason.
>What's wrong with the "groups" command or getgroups(3)/getgrouplist(3)?
groups gives me the group memberships of a user. I want user
memberships per group.
I could not find a command that would give me all members (primary and
supplementary) of a specific group.
Is there one? I couldn't find one, so I wrote my own.
For example.
# members bin
root bin daemon
#
You have given me great ideas that will hopefully allow me to squash
this effort. Also I didn't know that I could have multiple lines in
/etc/group. That's good to know.
I'm finding it hard to defend since Redhat and possibly other distros
populate /etc/group with primary members with system accounts.
Thanks,
Stan
-----Original Message-----
From: redhat-sysadmin-list-bounces at redhat.com
[mailto:redhat-sysadmin-list-bounces at redhat.com] On Behalf Of Tim Mooney
Sent: Wednesday, October 01, 2008 2:04 PM
To: redhat-sysadmin-list at redhat.com
Subject: Re: Primary and Supplementary Group Memberships
In regard to: Primary and Supplementary Group Memberships, Hearn, Stan
J....:
> I'm under the impression that if an account has a primary group it
> doesn't need to be (or shouldn't be) listed in /etc/group as a member.
I just had this conversation with a new sysadmin here. You are
definitely
correct that you do not need to list someone in /etc/group in the case
of
their primary group. You *could*, but you don't need to.
There are also good reasons not to. Line length in /etc/group being
one.
If you have a box with e.g. 10,000 users and most of them have the same
default group, if you explicitly list each account on the line in
/etc/group, you're eventually going to exceed a length limit for the
line.
Then, to get around that, you would need to list the same group multiple
times, e.g.
faculty:x:3200:usera,userb,userc,userd,...
faculty:x:3200:user1001,user1002,user1003
etc.
I would expect there will be a slight performance penalty for listing
all your users in /etc/group too. nscd caching will negate some of
that,
but why pay the penalty in the first place, especially for a file that
gets read a LOT?
Linux doesn't have this problem, but at least on some UNIX platforms,
if someone is listed on their primary group line in /etc/group, then
the "groups" command would return a particular group twice -- once
from /etc/passwd and once from /etc/group.
> I have some admins that want to put everyone in the /etc/group file.
> That way you'll have all group memberships in one place.
You're trading one problem for another. Now you have a group
synchronization issue. You'll have to take precautions to make certain
that you keep the primary group from /etc/passwd in synch with the
/etc/group file.
> I have a
> script that will generate a new report based on the /etc/group file
with
> supplementary members and primary members from the /etc/passwd file.
> I'm wanting to use that when we need "everything in place" for some
> reason.
What's wrong with the "groups" command or getgroups(3)/getgrouplist(3)?
> I've always been under the impression that populating /etc/group with
> primary members is not desired.
I would certainly agree with that.
> Why does RHEL out of the box, do this with system accounts?
That's a good question. I don't know.
Tim
--
Tim Mooney
Tim.Mooney at ndsu.edu
Enterprise Computing & Infrastructure 701-231-1076
(Voice)
Room 242-J6, IACC Building 701-231-8541
(Fax)
North Dakota State University, Fargo, ND 58105-5164
--
redhat-sysadmin-list mailing list
redhat-sysadmin-list at redhat.com
https://www.redhat.com/mailman/listinfo/redhat-sysadmin-list
More information about the redhat-sysadmin-list
mailing list