Results 1 to 8 of 8
  1. #1
    Join Date
    Nov 2005
    Location
    IL
    Posts
    557

    Unanswered: UNIX group questions

    I think it is a right group for this question.

    Can one UNIX group be part of another UNIX group?

    How can two UNIX groups have the same id? Why is it allowed and what is the purpose?

    This is on AIX 5.3. I am a UDB DBA so, if I said something wacky, be nice
    --
    IBM Certified DBA on DB2 for Linux, UNIX, and Windows

    DB2 v9.7.0.6 os 6.1.0.0

  2. #2
    Join Date
    Sep 2009
    Location
    Ontario
    Posts
    1,057
    Provided Answers: 1
    Ownership of files is based on owner, group, and other.
    Owners are listed in /etc/passwd, and groups are listed in /etc/group.
    Users can be members of more than one group.
    I did a little experimenting, and a file belongs to the first group found that has the group number that is recorded in the inode entry.
    From the man page for group, NIS (network information services) can be added by group, so that group1 on machine A can be added as group on machine B just by adding +group1 to the entry on machine B.

  3. #3
    Join Date
    Oct 2002
    Location
    Baghdad, Iraq
    Posts
    697
    Quote Originally Posted by Cougar8000 View Post
    I think it is a right group for this question.

    Can one UNIX group be part of another UNIX group?
    No. There is no "parent" field in the /etc/group file. See man 5 group, it'll show the fields in your system.

    How can two UNIX groups have the same id? Why is it allowed and what is the purpose?
    The Unices I've used (Solaris, BSD, Linux) don't allow it, but it can probably happen; Unix will let you shoot yourself in the foot and happily reload for you.

    The /etc/group and /etc/passwd files are just a flat file listing all the group and user names and their ids. The thought was you don't want to store the whole name with each file, so you store the id number instead.

    It's a huge design flaw because if I have an account "scooby" on machine A and an account "scooby" on machine B, but they have different IDs, I have to remap all the IDs for these two machines to play nice. This usually happens when, for instance, you're using a network mount, or trying to restore from a tarball or all sorts of ridiculously common situations.

    And, yes, this is a common problem in using any kind of surrogate ID in a distributed database design. Normally, the surrogate ID should be hidden from user APIs. A proper system might have an internal mapping of IDs to names, but only names are exposed to any client systems.

    This is on AIX 5.3. I am a UDB DBA so, if I said something wacky, be nice
    Don't know about old Aches, but most Unices now have some additional layer of security (like ACLs) bolted on to the traditional users and groups and it all interacts in strange and frightening ways. Any kind of network filesystem will make a pathetic attempt to translate a completely foreign scheme to the local scheme, and that also causes all kinds of problems.

    Most sysadmins I know manage because they don't actually try to understand any of it and just try random crap until it works; that's probably the best way to configure these things.

  4. #4
    Join Date
    Nov 2005
    Location
    IL
    Posts
    557
    Quote Originally Posted by kitaman View Post
    Ownership of files is based on owner, group, and other.
    Owners are listed in /etc/passwd, and groups are listed in /etc/group.
    Users can be members of more than one group.
    I did a little experimenting, and a file belongs to the first group found that has the group number that is recorded in the inode entry.

    From the man page for group, NIS (network information services) can be added by group, so that group1 on machine A can be added as group on machine B just by adding +group1 to the entry on machine B.
    Thank you. I am aware of how things work that are marked in blue.

    Can group1 on machine A be added to a group2 on the SAME machine? This is precisely what I am looking for.

    Thank you
    --
    IBM Certified DBA on DB2 for Linux, UNIX, and Windows

    DB2 v9.7.0.6 os 6.1.0.0

  5. #5
    Join Date
    Nov 2005
    Location
    IL
    Posts
    557
    Quote Originally Posted by sco08y View Post
    No. There is no "parent" field in the /etc/group file. See man 5 group, it'll show the fields in your system.
    Are you saying that one group can not be part of another on the same machine?


    Quote Originally Posted by sco08y View Post
    The Unices I've used (Solaris, BSD, Linux) don't allow it, but it can probably happen; Unix will let you shoot yourself in the foot and happily reload for you.

    The /etc/group and /etc/passwd files are just a flat file listing all the group and user names and their ids. The thought was you don't want to store the whole name with each file, so you store the id number instead.

    It's a huge design flaw because if I have an account "scooby" on machine A and an account "scooby" on machine B, but they have different IDs, I have to remap all the IDs for these two machines to play nice. This usually happens when, for instance, you're using a network mount, or trying to restore from a tarball or all sorts of ridiculously common situations.

    And, yes, this is a common problem in using any kind of surrogate ID in a distributed database design. Normally, the surrogate ID should be hidden from user APIs. A proper system might have an internal mapping of IDs to names, but only names are exposed to any client systems.



    Don't know about old Aches, but most Unices now have some additional layer of security (like ACLs) bolted on to the traditional users and groups and it all interacts in strange and frightening ways. Any kind of network filesystem will make a pathetic attempt to translate a completely foreign scheme to the local scheme, and that also causes all kinds of problems.

    Most sysadmins I know manage because they don't actually try to understand any of it and just try random crap until it works; that's probably the best way to configure these things.
    I totally agree that a PARTICULAR user MUST have the same uid assigned to his/her id on a different machine. Same should be done to unix groups.

    I have had a bad experience with uid not been the same on a diff machine. We had a new unix admin that decided not to keep them inline.

    What I have never seen and could not imagine is two unix groups having the same uid on the same machine. I see that you are saying it can be done, I am not seeing the reason behind it, nor frankly care to as I think it is bad idea.

    What I am looking for is

    Can group1 on machine A be added to a group2 on the SAME machine?

    Thank you
    --
    IBM Certified DBA on DB2 for Linux, UNIX, and Windows

    DB2 v9.7.0.6 os 6.1.0.0

  6. #6
    Join Date
    Nov 2005
    Location
    IL
    Posts
    557
    I guess I should explain the reasoning behind it.

    Let's assume that we have 10 unix groups with 1000 users in each one. On the database we have a new schema (combination of tables) that needs access granted to it. Access should only be granted to UNIX groups and not individual ids.

    Considering that users that need access are spread across multiple groups. So, instead of granting access to each group I was wondering if a new group can be created that will hold the other two UNIX groups. And this new group will get correct access on the DB.

    Thank you
    --
    IBM Certified DBA on DB2 for Linux, UNIX, and Windows

    DB2 v9.7.0.6 os 6.1.0.0

  7. #7
    Join Date
    Oct 2002
    Location
    Baghdad, Iraq
    Posts
    697
    Quote Originally Posted by Cougar8000 View Post
    Are you saying that one group can not be part of another on the same machine?
    A user may be in any number of groups, so group A could have Amy, Bob, Chrissy and David, and B could have Bob and Chrissy. But there's no way to say that group A is defined as group B plus these people. In other words, a group is simply a list of users and doesn't know anything about any other groups.

    What I have never seen and could not imagine is two unix groups having the same uid on the same machine. I see that you are saying it can be done, I am not seeing the reason behind it, nor frankly care to as I think it is bad idea.
    A few points: groups have a gid, which is different from a uid. If a user's uid and a group's gid happen to be the same, I don't think that matters. Second, you can write the same gid twice in a /etc/group file, but I don't know if your system will boot normally. (If this happened, you'd probably have to boot into single-user mode and correct the file.) All I'm really saying is that the /etc/group file is a flat file and POSIX compliance is a pretty fuzzy thing.

    What I am looking for is

    Can group1 on machine A be added to a group2 on the SAME machine?

    Thank you
    You can't add groups. You can add all the users in group1 to all the users in group2. If you later update group1, you'll have to update group2.

    If you want subgroups, see if your OS supports Access Control Lists.

  8. #8
    Join Date
    Nov 2005
    Location
    IL
    Posts
    557
    Thank you
    --
    IBM Certified DBA on DB2 for Linux, UNIX, and Windows

    DB2 v9.7.0.6 os 6.1.0.0

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •