System Groups from Users and Groups
 

I am not sure where this thread goes so I put it here.

I have done a lot of research and keep coming up empty and this includes browsing books at B&N.

In both Ubuntu and Fedora there are many System Groups. I am looking for information to get a deep understanding of what happens when I create a user and add them to various specific groups.

In Windows this can get quite complicated but there is much documentation on the subject.

I cannot seem to find out what rights go along with each group.

Also I would like to know how I can exploit groups so they are valuable. Other than adding a user to a group and giving that group read, write, execute permissions that filter down to group members I cannot see what else they are for.

In Windows you can have groups within groups and they can be public or private. Not the case in Linux. In Windows you can also assign priveliges to entire groups like the ability to backup the computer or assign and manage printers. etc

For example if there is a group called backup operators then its members can backup files to devices.

most of the rights of a user are derived from the files he/she can access
(in addition to some other configuration files like /etc/sudoers)

by files I also mean special devices like those in /dev which are assigned the same type of permissions like normal files

===
unless you have ACL enabled which is a more complex mechanism, each file has three basic rights (read, write, execute) for each of: owner, group, and others

the owner and the group of the file can be specified separately with the chown command.

you can find out what the rights assigned to a file are with "ls -l"
===

this allows a very simple mechanism for assigning rights
for example, on my machine, which is an almost standard ubuntu
performing ls -l on the /dev/dsp device, which is in charge of sound
produces:

crw-rw----+ 1 root audio 14, 3 2009-05-05 10:02 dsp

users who are allowed to use the audio device will be in the audio group
(actually this is becoming more complicated because there is another application, pulseaudio, in-between)

===
another method of granting rights is having "suid" programs. These are programs that when run, assume the identity of the owner (sometimes root).

you can find those using find / -perm -4000

these can be programs like ping, mount or sudo. of course you need to be able to run these programs (that is have execute rights as an 'other' user or by membership to a group)

Thanks, that go me started. I am not sure what suid is or how to use it but I will do a google to see if I can find it.

Not sure how to intrepret all of this: check out the red font color.

crw-rw----+ 1 root audio 14, 3 2009-05-05 10:02 dsp

for the full story, try
man setfacl
man getfacl

setuid makes a program run as the owner, regardless of who runs it ie 's' in the user's perms section eg
rwsrw-rw-
setgid does the same, only with group perms
rw-rwsrw-

you can also use
chmod g+s <dir>
to ensure that any file created by any user in that dir will have the same group id as the dir mentioned.

Loosely related,

drwxrwxrwt 27 root root 4096 May 6 10:56 tmp

the 't' means that only the owner of a file (in /tmp) can delete it, even though everybody has full access.