In the GUTL Wiki I have found a very useful article where the meaning of each group and user in the system is explained to Debian (y GNU / Linux usually).
To give new users a little understanding of this, groups allow (among other things) that users registered in the system, can perform certain tasks according to the group's role. I will explain this in another article 😀
We can see them grouped in the following table:
| Group | Function / Observations |
|---|---|
| root | Superuser: full access to the system. Usually only the user root it should belong to this group. |
| adm | System task monitoring. Lets use xconsole and read files from /var/log without having to use the commands su o sudo. Usually for administrators. The name of the group comes from /var/log initially it was /usr/adm and subsequently /var/adm |
| audio | Allows access to audio devices. |
| backup | Allow saving and restoring without granting a user root permissions. |
| bin | Present for reasons of compatibility with outdated applications. New applications should not use this group. |
| CD-ROM | Allows access to an optical drive. |
| daemon | Services that need to write to disk. For security reasons, it is preferable that each service has its own group. |
| dial out | Direct access to serial ports. Members of this group can reconfigure the modem, dial anywhere, etc. |
| dip | Allows you to use tools like pppd, pon y poff to make connections to other systems, using the predefined configuration files in the directory /etc/ppp/peers. The group name means "Dialup IP". |
| Disks | Log in direct to discs. Practically equivalent to the access you have root on the discs. A user should not normally belong to this group, or they could do something wrong like cat /dev/zero > /dev/sda. |
| fax | Allows you to send or receive faxes. |
| floppy | Allows access to a floppy drive. |
| games | Used by some games to save scores. |
| gdm | Used by GDM (Gnome Display Manager). |
| gnats | Used by gnats. |
| haldaemon | Used by the hardware abstraction layer. |
| halt | Login to shut down the system. |
| irc | Used by services IRC. (A static user is required due to a bug in ircd) |
| log | Used by klogd, the kernel log. |
| km em | For programs that need direct read access to the system memory. This group can read /dev/kmem and other similar files. It is practically a relic of BSD. |
| list | For managing mailing lists. Some programs of this type also use a user with the same name. |
| lp | Direct access to the parallel port. This group is traditionally used by printing services. |
| lpadmin | Allows you to add, modify, and remove printers from foomatic, cups, and possibly other printer databases. |
Writing in /var/mail. Used by the MTA and MUA. |
|
| majordomo | Historically used by Majordomo. It does not install on new systems. |
| Mon | Sometimes used by the program man to write in /var/cache/man. |
| message bus | Used by the dbus service (dbus-daemon-l) |
| News | Writing in the news folders. Used by services and other news programs (nntp protocol). |
| nogroup | Used by services that do not require ownership of any files. Typically combined with the user nobody. |
| operator | Existing for historical reasons only to notify logged-in operators. To increase privileges it is preferable to use the sudo utility. |
| plugdev | Allows access to removable devices even if they are not configured in /etc/fstab. Useful for local users who need to insert USB sticks, etc. Used by the pmount program (which always mounts removable devices with options nodev y nosuid). |
| postfix | Used by the MTA Postfix. |
| postgres | Management of PosgreSQL databases. Usually only used by the user postgres |
| proxy | For services (usually proxy services) that do not have dedicated user ids and need to own files. Usually used by squid y pdnsd. |
| heal | Added by sane-utils. It seems to be little used. |
| sass | Allows writing in /etc/sasldb I /etc/sasldb2, which are used for sasl authentication. Usually used for server authentication IMAP, POP, and SMTP. |
| scanner | Allows you to use scanners. |
| shadow | Allows reading of /etc/shadow. Used by some programs that need to access this file. |
| shutdown | Login to shut down the system. |
| src | Owner of the source code, including the files of /usr/src. It can be used to provide a user with the ability to manage source code. |
| ssh | To prevent attacks from ptrace. Used by ssh-agent. |
| staff | Lets work on /usr/local, /var/local y /home. Usually for trusted administrators. |
| sudo | Members of this group do not need to enter their passwords when using sudo. See /usr/share/doc/sudo/OPTIONS. |
| sync | Login to sync the system. Usually used by user sync (with shell /bin/sync) |
| sys | Present for compatibility reasons. |
| syslog | Used by syslog, the general purpose blog. |
| tape | Allows access to a tape drive. |
| tty | Used by write y wall to write to the tty of other users. The devices tty y /dev/vcs belong to this group. |
| uucp | Used by the UUCP subsystem. |
| users | To group new users. See the note at the end of this article. |
| utmp | Lets write to /var/run/utmp, /var/log/lastlog, and similar files. Used by some terminal emulators. |
| video lesson | Allows access to video devices. |
| Voice | Voicemail. Useful for systems that use modems as answering machines. |
| wheel | Lets use the command su. Disabled by default (see /etc/pam.d/su for more details, as well as Section 9.2.2 in the Debian reference). |
| www data | For writing data by web servers. The user www-data it shouldn't be him owner of web content, or a compromised server would allow a website to be rewritten. |
??? sorry but I'm still uneducated
Can you give me a link where I can learn about such technological issues, please?
I better update the post and explain a little about what is going on 😀
Thanks for the information it is very useful, I already printed it and put it by hand for consultation.
I am gathering cement to make you a monument… thank you.
Ha, I don't know if it's for a monument, but that's one of the many things I asked myself for a long time and that for x reasons I never took the time to find out, very useful information.
Thanks Elav 😉
Great, it is like to print.
A few months ago I was like crazy needing something like that.
Excellent article. Rarely do you read one with such useful information. Thanks a lot.
hello it can be a little machica the above
Hi. I am creating a new user and I need to know if the options I check are correct: adm, cdrom, dip, games, lpadmin, nopasswdlogin, plugdev, sambashare.
What I want is that the user can do everything the administrator does but without "sudo". Moreover, there is no password, that is, it enters automatically without putting a password.
Considering that this is the first time I do it, is it okay like this or do I change something?
Thanks in advance!