The purpose of User Private Groups

Oct. 3, 2019

Before you can understand User Private Groups, you need to understand their purpose. Lets examine a common problem with the following requirements

  • Any files created must be editable by all in a group.
  • We don't want the above to be the default (only a file owners should be able to edit unless in a particular directory).

Effectively this means "we want to have group editing possible only in some places".

If only the owner can edit the file, then the owner's primary group can not have write permissions since we don't want other members of their group to be able to write to the file. I.e. mode 644 (rw-r--r--) is required. We can control a newly created file's mode of a file by setting the umask. umask mask the starting permissions of directories or files ultimately letting you decide the mode of a file. Here is an example for creating mode 644.

Remember the values in binary are 128 64 32 16 8 4 2 1 for each digit of a byte. So here, 6 is actually 110 or 4 + 2 + 0. Another example, 101 would be 4 + 0 + 1 = 5.

User Group Other Description
110 110 110 starting file mode 666 in binary
111 101 101 755 in binary (777 - 022 mask)
--- --- ---
110 100 100 actual file permissions

Putting 110 100 100 together we have mode 644 on the file created. For more information, this stack link does a great job explaining umask.

As a recap, consider this example

nick@ubuntu-xenial:~$ umask
nick@ubuntu-xenial:~$ touch file_0002_umask
nick@ubuntu-xenial:~$ umask 0022
nick@ubuntu-xenial:~$ touch file_0022_umask
nick@ubuntu-xenial:~$ ls -l
total 0
-rw-rw-r-- 1 nick nick 0 Oct  3 13:58 file_0002_umask  # 664 - 002 umask
-rw-r--r-- 1 nick nick 0 Oct  3 13:59 file_0022_umask  # 644 - 022 umask

In other words, since all files when created have 666 permissions prior to being masked, they must have a umask set to 022 in order to be created with 644.

However, in some directories (e.g. /var/www/html for apache2) we want to be able to have group write access. As a result, we need the mode to be 664 for that so that when files are created, they are editable by the group owner of the file. Since all files when created have 666 permissions, the umask must be set to 002 in order for new files to be created with mode 664.

So - we set the umask 0002, but then have another problem. Every file the user creates on the system will now have 664 permissions. This means that whoever is part of a user's primary group will also be able to modify the file. The solution to this problem, as it turns out, is to make a unique group for every user! And so we enter the world of UPGs. That way even if a file has 664 permissions, since only they are part of the group which is the group owner of the file, the issue is moot.

But again, how does this help us make write shareable directories? Since the group of the file is the UPG of the user that created it, then no one else can edit it still. By default when a file is created, the group owner of the file is the primary group; however, it is possible to have the group owner set to be inherited from the directory the file is contained in. Files can inherit the group owner from the directory they are created in if the SGID bit is set. So if a user creates a file in a directory where the group owner is set to developers and the SGID bit is set, then the group owner of the new file will also be developers. What's more, since the umask is set to 0002, groups will be able to write to the files as well without any additional configuration.

So, a User Private Group (UPG) is a group created for each system user specifically for that user. It has the same name as the user, and the only member of this group is the user itself. Consider the following example where in an Ubuntu server I create a file

nick@ubuntu-xenial:~$ pwd
nick@ubuntu-xenial:~$ touch file
nick@ubuntu-xenial:~$ ls -l file 
-rw-rw-r-- 1 nick nick 0 Oct  3 09:17 file

Notice that the user and group are both nick. This file has a group name that is the same as the user which is generated automatically. This is a User Private Group.

šŸ‘‡ Reiterating what was said above...

In other words, by default a file will have the owner nick and group nick, but if we want the group to be something else, say developers, then we can assign a particular directory to that group and set the SGID bit. When any files are created in that directory, they will belong to the developers group, not the user's UPG that created the file. Since the umask is still 002, this means that any other users in the developers group will also be able to modify the file as it has permissions -rw-rw-r--.


Here is a practical example where I have two engineers (david and nick) both part of the developers group. I want nick and david to be able to create and edit all files (created by them, or another user) under the /var/pine directory.

setup users and groups

vagrant@ubuntu-xenial:/home$ sudo adduser nick
vagrant@ubuntu-xenial:/home$ sudo adduser david
vagrant@ubuntu-xenial:/home$ sudo addgroup developers
Adding group `developers' (GID 1004) ...
vagrant@ubuntu-xenial:/home$ sudo adduser nick developers
Adding user `nick' to group `developers' ...
Adding user nick to group developers
vagrant@ubuntu-xenial:/home$ sudo adduser david developers
Adding user `david' to group `developers' ...
Adding user david to group developers

setup file structure

# create directory
root@ubuntu-xenial:/var# mkdir pine
root@ubuntu-xenial:/# ls -dl /var/pine/
drwxr-xr-x 2 root root 4096 Oct  2 17:28 /var/pine/

# change group
root@ubuntu-xenial:/var# chown root:developers pine/
root@ubuntu-xenial:/var# ls -ld pine/
drwxr-xr-x 2 root developers 4096 Oct  2 17:31 pine/

# change mode and SGID (Set Group ID on execution)
root@ubuntu-xenial:/var# chmod 2775 pine/
root@ubuntu-xenial:/var# ls -ld pine/
drwxrwsr-x 2 root developers 4096 Oct  2 17:31 pine/

Notice the ā€œsā€ instead of a ā€œxā€ for the group here šŸ‘‰ drwxrwsr-x in the line above for the group. This is a way of verifying that SGID has been set. Now, when files are created under the pine/ directory, they will have the same group as the pine/ directory.

nick@ubuntu-xenial:/var/pine$ touch nick.txt
nick@ubuntu-xenial:/var/pine$ ls -l
total 0
-rw-rw-r-- 1 nick developers 0 Oct  2 17:36 nick.txt

Since the permissions are 664, members of the groups can modify any files by default, and the sysadmin can sleep soundly at night.

Comment Enter a new comment: