In the GUTL Wiki I have found a very useful article where the meaning of each group and user in the system is explained to Debian (y GNU / Linux usually).
To give new users a little understanding of this, groups allow (among other things) that users registered in the system, can perform certain tasks according to the group's role. I will explain this in another article 😀
We can see them grouped in the following table:
Group | Function / Observations |
---|---|
root | Superuser: full access to the system. Usually only the user root it should belong to this group. |
adm | System task monitoring. Lets use xconsole and read files from /var/log without having to use the commands su o sudo . Usually for administrators. The name of the group comes from /var/log initially it was /usr/adm and subsequently /var/adm |
audio | Allows access to audio devices. |
backup | Allow saving and restoring without granting a user root permissions. |
bin | Present for reasons of compatibility with outdated applications. New applications should not use this group. |
CD-ROM | Allows access to an optical drive. |
daemon | Services that need to write to disk. For security reasons, it is preferable that each service has its own group. |
dial out | Direct access to serial ports. Members of this group can reconfigure the modem, dial anywhere, etc. |
dip | Allows you to use tools like pppd , pon y poff to make connections to other systems, using the predefined configuration files in the directory /etc/ppp/peers . The group name means "Dialup IP". |
Disks | Log in direct to discs. Practically equivalent to the access you have root on the discs. A user should not normally belong to this group, or they could do something wrong like cat /dev/zero > /dev/sda . |
fax | Allows you to send or receive faxes. |
floppy | Allows access to a floppy drive. |
games | Used by some games to save scores. |
gdm | Used by GDM (Gnome Display Manager). |
gnats | Used by gnats . |
haldaemon | Used by the hardware abstraction layer. |
halt | Login to shut down the system. |
irc | Used by services IRC. (A static user is required due to a bug in ircd ) |
log | Used by klogd , the kernel log. |
km em | For programs that need direct read access to the system memory. This group can read /dev/kmem and other similar files. It is practically a relic of BSD. |
list | For managing mailing lists. Some programs of this type also use a user with the same name. |
lp | Direct access to the parallel port. This group is traditionally used by printing services. |
lpadmin | Allows you to add, modify, and remove printers from foomatic, cups, and possibly other printer databases. |
Writing in /var/mail . Used by the MTA and MUA. |
|
majordomo | Historically used by Majordomo. It does not install on new systems. |
Mon | Sometimes used by the program man to write in /var/cache/man . |
message bus | Used by the dbus service (dbus-daemon-l) |
News | Writing in the news folders. Used by services and other news programs (nntp protocol). |
nogroup | Used by services that do not require ownership of any files. Typically combined with the user nobody . |
operator | Existing for historical reasons only to notify logged-in operators. To increase privileges it is preferable to use the sudo utility. |
plugdev | Allows access to removable devices even if they are not configured in /etc/fstab . Useful for local users who need to insert USB sticks, etc. Used by the pmount program (which always mounts removable devices with options nodev y nosuid ). |
postfix | Used by the MTA Postfix. |
postgres | Management of PosgreSQL databases. Usually only used by the user postgres |
proxy | For services (usually proxy services) that do not have dedicated user ids and need to own files. Usually used by squid y pdnsd . |
heal | Added by sane-utils . It seems to be little used. |
sass | Allows writing in /etc/sasldb I /etc/sasldb2 , which are used for sasl authentication. Usually used for server authentication IMAP, POP, and SMTP. |
scanner | Allows you to use scanners. |
shadow | Allows reading of /etc/shadow . Used by some programs that need to access this file. |
shutdown | Login to shut down the system. |
src | Owner of the source code, including the files of /usr/src . It can be used to provide a user with the ability to manage source code. |
ssh | To prevent attacks from ptrace. Used by ssh-agent. |
staff | Lets work on /usr/local , /var/local y /home . Usually for trusted administrators. |
sudo | Members of this group do not need to enter their passwords when using sudo . See /usr/share/doc/sudo/OPTIONS . |
sync | Login to sync the system. Usually used by user sync (with shell /bin/sync ) |
sys | Present for compatibility reasons. |
syslog | Used by syslog , the general purpose blog. |
tape | Allows access to a tape drive. |
tty | Used by write y wall to write to the tty of other users. The devices tty y /dev/vcs belong to this group. |
uucp | Used by the UUCP subsystem. |
users | To group new users. See the note at the end of this article. |
utmp | Lets write to /var/run/utmp , /var/log/lastlog , and similar files. Used by some terminal emulators. |
video lesson | Allows access to video devices. |
Voice | Voicemail. Useful for systems that use modems as answering machines. |
wheel | Lets use the command su . Disabled by default (see /etc/pam.d/su for more details, as well as Section 9.2.2 in the Debian reference). |
www data | For writing data by web servers. The user www-data it shouldn't be him owner of web content, or a compromised server would allow a website to be rewritten. |
??? sorry but I'm still uneducated
Can you give me a link where I can learn about such technological issues, please?
I better update the post and explain a little about what is going on 😀
Thanks for the information it is very useful, I already printed it and put it by hand for consultation.
I am gathering cement to make you a monument… thank you.
Ha, I don't know if it's for a monument, but that's one of the many things I asked myself for a long time and that for x reasons I never took the time to find out, very useful information.
Thanks Elav 😉
Great, it is like to print.
A few months ago I was like crazy needing something like that.
Excellent article. Rarely do you read one with such useful information. Thanks a lot.
hello it can be a little machica the above
Hi. I am creating a new user and I need to know if the options I check are correct: adm, cdrom, dip, games, lpadmin, nopasswdlogin, plugdev, sambashare.
What I want is that the user can do everything the administrator does but without "sudo". Moreover, there is no password, that is, it enters automatically without putting a password.
Considering that this is the first time I do it, is it okay like this or do I change something?
Thanks in advance!