Figuring Out Group Permissions in Linux
You may be faced with a situation in which you must figure out who has permissions to a file or directory and what those permissions are. This sounds simple enough. It really is not as simple as it may sound, here is an example. You view the contents of the /var/www (/var/www/html in CentOS) directory where your web site content is found and you see a directory that looks like this:
drwxr-xr-x 2 www-data fsmith 4096 2008-05-12 05:19 3qw
drwxr-xr-x 2 apache fsmith 4096 2008-05-12 05:19 3qw
The owner is www-data (apache in CentOS), that is not uncommon in the /var/www directory as www-data is the user that Ubuntu uses for web content. However the group can present a problem in that the question will arise, who is in the group? There is an easy way to determine that. Use cat to view the contents of the group file that lists users in a group. A good way to do this is to pipe the output of the cat command into a text filter search with grep like so:
cat /etc/group | grep fsmith
The | symbol (pipe) will take the output of one command and use it as input to the second command. With the output you will see that the group fsmith does not list any users after the final “:”. There is only one user in this group, fsmith. If the output looked like this:
cat /etc/group | grep fsmith
fsmith:x:1001: tom, jane,jerry,joan,rudy
Now you know that the group contains five users who have permissions to this file(fsmith, jane, jerry, joan and rudy). The /etc/group file is a file that you can view with:
When you view the output you will see a number of groups that are relevant to permissions.
The root group is for the root user only, DO NOT add users to this group, it could very well create system failure and will certainly increase security issues.
The following groups in Ubuntu not CentOS are groups that are given by default to the first user created on the system for administrative purposes. In other words, this is the user that is able to use the sudo command and these represent those permissions. The first example of groups represent the permissions to use cdrom, floppy, audio, video and dialout. These are not permissions that you will typically use from a remote connection.
These groups are the administrative groups that allow users to run root commands using sudo. These are the groups that you could edit to add users who could be able to use sudo.
The adm group has historically been a group that was used to allow users in the group to read log files. Here is an example from /var/log where syslog is readable by the adm group.
-rw-r—– 1 syslog adm 2752 2008-08-14 07:21 syslog
If you run visudo and view the default file you will see these lines at the bottom which lists the rights of the admin group as capable of running any root commands.
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL