The purpose of User Private Groups
Oct. 3, 2019
Before you can understand User Private Groups, you need to understand their purpose. Lets examine a common problem with the following requirements
- Any files created must be editable by all in a group.
- We don't want the above to be the default (only a file owners should be able to edit unless in a particular directory).
Effectively this means "we want to have group editing possible only in some places".
If only the owner can edit the file, then the owner's primary group can not have write permissions since we don't want other members of their group to be able to write to the file. I.e. mode
rw-r--r--) is required. We can control a newly created file's mode of a file by setting the
umask mask the starting permissions of directories or files ultimately letting you decide the mode of a file. Here is an example for creating mode
Remember the values in binary are
128 64 32 16 8 4 2 1 for each digit of a byte. So here,
6 is actually
4 + 2 + 0. Another example,
101 would be
4 + 0 + 1 = 5.
|110||110||110||starting file mode
|110||100||100||actual file permissions|
110 100 100 together we have mode
644 on the file created. For more information, this stack link does a great job explaining
As a recap, consider this example
nick@ubuntu-xenial:~$ umask 0002 nick@ubuntu-xenial:~$ touch file_0002_umask nick@ubuntu-xenial:~$ umask 0022 nick@ubuntu-xenial:~$ touch file_0022_umask nick@ubuntu-xenial:~$ ls -l total 0 -rw-rw-r-- 1 nick nick 0 Oct 3 13:58 file_0002_umask # 664 - 002 umask -rw-r--r-- 1 nick nick 0 Oct 3 13:59 file_0022_umask # 644 - 022 umask
In other words, since all files when created have
666 permissions prior to being masked, they must have a
umask set to
022 in order to be created with
However, in some directories (e.g.
/var/www/html for apache2) we want to be able to have group write access. As a result, we need the mode to be
664 for that so that when files are created, they are editable by the group owner of the file. Since all files when created have
666 permissions, the
umask must be set to
002 in order for new files to be created with mode
So - we set the
umask 0002, but then have another problem. Every file the user creates on the system will now have
664 permissions. This means that whoever is part of a user's primary group will also be able to modify the file. The solution to this problem, as it turns out, is to make a unique group for every user! And so we enter the world of UPGs. That way even if a file has
664 permissions, since only they are part of the group which is the group owner of the file, the issue is moot.
But again, how does this help us make write shareable directories? Since the group of the file is the UPG of the user that created it, then no one else can edit it still. By default when a file is created, the group owner of the file is the primary group; however, it is possible to have the group owner set to be inherited from the directory the file is contained in. Files can inherit the group owner from the directory they are created in if the SGID bit is set. So if a user creates a file in a directory where the group owner is set to
developers and the SGID bit is set, then the group owner of the new file will also be
developers. What's more, since the
umask is set to
0002, groups will be able to write to the files as well without any additional configuration.
So, a User Private Group (UPG) is a group created for each system user specifically for that user. It has the same name as the user, and the only member of this group is the user itself. Consider the following example where in an Ubuntu server I create a file
nick@ubuntu-xenial:~$ pwd /home/nick nick@ubuntu-xenial:~$ touch file nick@ubuntu-xenial:~$ ls -l file -rw-rw-r-- 1 nick nick 0 Oct 3 09:17 file
Notice that the user and group are both
nick. This file has a group name that is the same as the user which is generated automatically. This is a User Private Group.
👇 Reiterating what was said above...
In other words, by default a file will have the owner
nick and group
nick, but if we want the group to be something else, say
developers, then we can assign a particular directory to that group and set the SGID bit. When any files are created in that directory, they will belong to the
developers group, not the user's UPG that created the file. Since the
umask is still
002, this means that any other users in the
developers group will also be able to modify the file as it has permissions
Here is a practical example where I have two engineers (
nick) both part of the
developers group. I want
david to be able to create and edit all files (created by them, or another user) under the
setup users and groups
vagrant@ubuntu-xenial:/home$ sudo adduser nick vagrant@ubuntu-xenial:/home$ sudo adduser david vagrant@ubuntu-xenial:/home$ sudo addgroup developers Adding group `developers' (GID 1004) ... Done. vagrant@ubuntu-xenial:/home$ sudo adduser nick developers Adding user `nick' to group `developers' ... Adding user nick to group developers Done. vagrant@ubuntu-xenial:/home$ sudo adduser david developers Adding user `david' to group `developers' ... Adding user david to group developers Done.
setup file structure
# create directory root@ubuntu-xenial:/var# mkdir pine root@ubuntu-xenial:/# ls -dl /var/pine/ drwxr-xr-x 2 root root 4096 Oct 2 17:28 /var/pine/ # change group root@ubuntu-xenial:/var# chown root:developers pine/ root@ubuntu-xenial:/var# ls -ld pine/ drwxr-xr-x 2 root developers 4096 Oct 2 17:31 pine/ # change mode and SGID (Set Group ID on execution) root@ubuntu-xenial:/var# chmod 2775 pine/ root@ubuntu-xenial:/var# ls -ld pine/ drwxrwsr-x 2 root developers 4096 Oct 2 17:31 pine/
Notice the “s” instead of a “x” for the group here 👉
drwxrwsr-x in the line above for the group. This is a way of verifying that SGID has been set. Now, when files are created under the
pine/ directory, they will have the same group as the
nick@ubuntu-xenial:/var/pine$ touch nick.txt nick@ubuntu-xenial:/var/pine$ ls -l total 0 -rw-rw-r-- 1 nick developers 0 Oct 2 17:36 nick.txt
Since the permissions are
664, members of the groups can modify any files by default, and the sysadmin can sleep soundly at night.