UNIX Groups

Contents

About UNIX Groups

Unix groups can be used to share files with a small number of University of Delaware users. Each user on the central machines is associated with a list containing at least one group, and each file or directory on the central Unix machines is associated with one group. This is usually referred to as group membership and group ownerships, respectively. That is, users are in groups and files are owned by a group.

Users do not need to do anything to be in a group - this is all managed for them. All users with an email account are in group 4000. Most students, registered for class, are in a group created specifically for their class section. Researchers using Strauss for computing work are in a group created for their computing projects. Here at the University of Delaware we also use Unix groups for accounting purposes, and that is why the group names are usually four digit account project codes. Each accounting project has a project director who is responsible for adding or removing members from the group. The project director is an instructor for a class project, a principle investigator for a sponsored project, or the university staff member originally requesting the project. Maintaining the members of projects is done through the email account - access@udel.edu.

Managing group ownership of files and directories requires some action by the user. All files or directories are owned by the user creating them. In addition to being owned by a user, each file or directory is owned by a group. It is important to have group ownership correct, if you ever want to share files with your group. Group ownership does not imply group access, you must set the file access permissions so your group can use the files. Permissions can be set to restrict the type of access that group members have to your directories and files. You can use different Unix groups to share files with separate sets of users.

Unix Group Membership

Users are organized into groups, every users is in at least one group, and may be in other groups. Group membership gives you special access to files and directories which are permitted to that group.

Every user is in a primary group and may be in several secondary groups. The user is said to be in a group if the group name is in their list of groups. You do not have to be logged on to be in a group. When you are logged on you are assigned a group which is called your current group. This is also termed "being in a group", but it is better to say "your shell is assigned to the group". When you first log on, you are assigned your primary group, which is also called your default group. You can change your current group, i.e., start a shell with a secondary group as the current group, with the newgrp command. You can change your primary group, i.e., set a default group for your next login, from the  UD&Me network web page. You can see your group list or the group list of any user with the groups command. For example 

strauss<1>% groups dnairn anita
dnairn : 1864 0123 0191 0217 0361 0363 0379 0380 0400 0583 4000
anita : 1864 0123 0388 0400 0583 4000
lists all the groups for dnairn and anita, the first group is the primary group, the remaining groups are in alphabetic order. If you just type groups you will get your groups.

Note: Currently the Unix systems are configured to only allow 16 total groups in this group list. If you see exactly 16 projects in your list then you may be in project, but not in the Unix group for that project.

Group ownership of Files and Directories

Every file and directory has a username and a groupname associated with it. We say the username is the owner and the groupname owns the file or directory. A directory is a collection of files and possibly other sub-directories. There are commands for managing group ownership for both directories and files. In the example commands given in this document we use filename to indicate the name of a file, but in most cases you can use the same command with the name of a directory.

The long format of the listing command gives the permission modes, the owner and the group for both files and directories. Use the ls -dl filename command to get a one-line listing of a single file or directory. The command ll (or ls -l ) will list all the files and directories in your current directory. The ones beginning with a "d" are directories.

When a file or directory is first created it takes as its group the current group of your shell. This is the default group for all login shells, but you can start another shell with any group with the command newgrp project. If you are going to create files for a secondary group then it easier to create all these files from a shell started with the newgrp command.

If you want to change the group associated with a file or directory which already exists use the command chgrp project filename. You must be the owner of the file filename and you must be a member of the group project to make the change. If the long listing shows a file which is not owned by the proper group you must contact the owner of the file and get them to change the group.

In many cases the group ownership does not matter, but if you want to share a file with a group, then it is important that you get the ownership correct. Otherwise you may be inviting all users to put their large files in your directory.

Group permissions of Files and Directories

Just setting up a file to be owned by a group does not give your group any access to the file. Granting and limiting access is done by setting permission modes. You can see the permission modes as a set of 10 letters or dashes in the long listing of a file or directory using the ls -dl command. The -dl option on the ls command will list the information for the directory or file in long format. Without the "d" all the files in the directory would be listed instead of just the directory you asked for. For example to get a long listing for a directory with the name kneeland 
<2>% ls -dl kneeland
drwxr-x---   3 dnairn   0217         512 Aug 14 15:14 kneeland
The first string of characters are the mode, the following number is a count, the user name is the owner and the 4 digit account code is the group.
mode: drwxr-x---
Begins with a "d" so it is a directory, The owner, dnairn, has permission modes rwx which is full access. Any other user in group 0217 has permission modes r-x which is browsing access (can read and search without permission to add, rename or delete files in the directory.) Every other user, that is not dnairn and not in group 0217 has permission modes --- which is no access.
count: 3
There are three files in this directory. The count is always one if you are listing a file.
username: dnairn
The user with login name dnairn is the owner of the file. The owner will have permission modes according the the first three codes after the "d". The owner always can change permission modes with the chmod command.
groupname: 0217
The directory is said to be owned by this group. Any user in group 0217 , except dnairn, will have permissions granted according to the middle three codes in the permission modes.

Some UNIX Commands for Working with Groups

Command Description Example
chdgrp List groups with title and remaining balance
 chdgrp
groups See groups to which you belong with primary group first groups
id See current group as part of your id id
newgrp Start a shell in a different group newgrp 1234
chmod Change permissions for directories and files chmod g+rwx myfile
chgrp Change group ownership of directories and files chgrp 1234 myfile
ls List file permissions ls -l
  • You are automatically assigned to a primary group when your userid is created. All faculty, staff and students are put in to project 4000. This primary group is the group assigned to any login shell. It is also called your default group. Use the network web page  to choose your default group for all subsequent logins. This will be your current group at your next login.

    Just by itself, the chdgrp will list your current groups with a short description. 

    Project    Title                 Remaining      Valid on hosts
    0068    WWW-IDEA CENTER             100.00      mahler strauss
    1864    US-STAFF                   1740.58      mahler strauss
    0123    RESTRICTED DATA              50.00      mahler strauss
    0583    WWW-IT                       89.57      mahler strauss
    0191    USMAILTEST-ALIAS            100.00      mahler strauss
    0217    WWWMAINT                    100.00      mahler strauss
    0380    US-QUOTA-REQUESTS           100.00      mahler strauss
    0400    US-ALTERNATE INBOX          200.00      mahler strauss
    4000    U. OF D. E-MAIL              50.00      mahler strauss

    Your default group is currently 1864.

    To change your default group please go to http://www.udel.edu/network
    This is helpful if you forgot which project number to use for your groups
  • Use the groups command to see which groups you belong to: 
    <4>% groups 
    1864 0123 0217 0380 0400 0583 4000
    The first group which is listed is your primary group. That may be the only group to which you belong.

    • Both chdgrp and groups commands will list your groups and tell you which one is the default group. However the chdgrp command can not be used to get information about another account, whereas the groups command can be used to list of groups for any user.

  • Use the id to see your current group which is part of your identification. Your current group is the group name after the gid=number. This is usually a four digit project code. 
    <54>% id
    uid=7101(dnairn) gid=1267(1864)
    The current group is the project code 1864.
  • When you login, you are automatically given your primary group as your current group. If you belong to other groups, you can use the newgrp command to start a new shell with a different current group. For example, suppose you are a member of the 0217 group, then you can use the following command to start a new shell in that group: 
    <5>% newgrp 0217
    <1>% groups
    1864 0123 0191 0217 0361 0363 0379 0380 0400 0583 4000
    <2>% id
    uid=7101(dnairn) gid=1829(0217)
    <3>% exit
    exit
    <6>% id
    uid=7101(dnairn) gid=1267(1864)
    Use the exit command to exit the shell and your current group will be restored to what it was before the exit command.

    • The first group in the groups list is your primary group, whereas the group in the id information is your current group. You can also find all your groups with the id -a command.

  • You can use the chmod command to set permission modes for selected directories and files. In general, you need to set at least read and execute permissions for the directories and read permissions for the files.

    The command syntax to enable all members of a group to read some file is:

    chmod g+r filename

    where filename is the name of the file you want to share. The file is now readable to the group associated with the file filename.

    Once you check to make sure a directory and all its files and sub-directories are owned by the correct group you can set the permission modes for everything with the one command

    chmod -R g+rX dirname

    where dirname is the name of the directory that contains the files you want to share. This command is called.

    The chmod command can also be used to allow members of a group to put files in a directory. The owner of the directory can open a directory for shared writing with the command:

    chmod g=swrx,+t dirname

    where dirname is the name of the directory you want to members of your group to create files in. The "s" is the group set-ID setting, which means all new files in this group will be owner by the user putting them there, but the group ownership will be set to match the group of the director, not the current group of the owner. This is the recommended way to keep all the group ownerships correct. The "+t" makes this a sticky directory. This means only the owner of a file (or the owner of the directory) can delete or rename a file. This is recommended if several users will be putting files in the same directory.
  • Use the chgrp command to change group ownership of a directory or file. You need to use this command to share files with users who are in the same UNIX group as you, when that group is not your primary group.


    • The syntax for the chgrp command is:

    chgrp groupname filename

    where groupname is the name of the group with which you would like to share a file named filename.

    Whereas the chmod command determines the type of access that group members may have to a file or directory, the chgrp command determines which group may access that file or directory.

  • Use the ls command to get a long formatted listing of a file or directory.

    ls -l

    will list all the files and directories in the current directory. You can use this command to verify that:
    1. the files which you want to share have at least read permissions;
    2. all of the directories in the search path for those files have at least execute permissions;
    3. those files are owned by the group with which you want to share.

Troubleshooting

You can use a UNIX group to share an unlimited number of files on an ongoing basis with others who have their own central UNIX account and are members of the same UNIX group.

One of the most common mistakes in sharing files on a UNIX system is to forget to set file permissions or to set them incorrectly. If permissions are not set correctly, then a user will see the following message or a similar one when they try to access your directory or files:

permission denied

  1. Make sure you have a proper group for sharing. You must have a group which both of you are in, but not 4000 since every user with an e-mail account is in group 4000. You can check this with the command groups $USER username where the second username is the user name of the user who got the "permission denied" message. You must pick a group on both lists. For example I want to share with the user anita 
    <1>% groups $USER anita
    dnairn : 1864 0123 0191 0217 0361 0363 0379 0380 0400 0583 4000
    anita : 1864 0123 0388 0400 0583 4000
    Project code 0123 is a good group name.
  2. Check to make sure the correct group owns the file with the ls -dl filename command. You should see this project number in this long formatted list as the group name. 
    <2>% ls -dl myfile
    -rw-r-----   1 dnairn   1864           0 Dec 21 15:09 myfile
  3. Check to make sure the "r" code appears in the middle three permission modes, in this same ls command. If this is not correct type: 
    chmod g+r myfile
  4. Finally check to make sure every directory above your current directory has the "x" permission in all three locations. This is called execute permissions for all, or symbolically "a+x". You can use the . as the current directory and .. for parent directory to list several levels 
    <2>% ls -dl . .. ../.. ../../..
    drwxrwsr-x   2 dnairn   1864         512 Oct 16 10:42 .
    drwxrwsr-t   3 dnairn   1864         512 Oct 16 10:26 ..
    drwxr-xr-x  84 dnairn   1864        6656 Dec 21 11:07 ../..
    drwxr-xr-x 198 root     root        9216 Aug 22 04:10 ../../..
Another common problem is to set file permissions for existing files, but to neglect to set permissions for newly created files. By default, others cannot access your files. You must give explicit permissions to each file when it is created.
IT Help Center
Questions or Comments
University of Delaware Home Page
Last updated: August 11, 2003
Copyright © 2001-2003 University of Delaware