Purpose of primary and secondary user groups

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Purpose of primary and secondary user groups

Ipsen S Ripsbusker
Aside from compatibility, what is the purpose of primary groups,
compared to secondary groups?

Said otherwise, why do we have both primary and secondary groups
rather than only secondary groups?

Yet another phrasing: Why do I need to set a primary group?

Reply | Threaded
Open this post in threaded view
|

Re: Purpose of primary and secondary user groups

Otto Moerbeek
On Sat, Dec 29, 2018 at 07:27:48PM +0000, Ipsen S Ripsbusker wrote:

> Aside from compatibility, what is the purpose of primary groups,
> compared to secondary groups?
>
> Said otherwise, why do we have both primary and secondary groups
> rather than only secondary groups?
>
> Yet another phrasing: Why do I need to set a primary group?
>

Mainly for accounting purposes.

man 2 intro

tells you about it.

        -Otto

Reply | Threaded
Open this post in threaded view
|

Re: Purpose of primary and secondary user groups

Philip Guenther
In reply to this post by Ipsen S Ripsbusker
On Sat, Dec 29, 2018 at 11:29 AM Ipsen S Ripsbusker <
[hidden email]> wrote:

> Aside from compatibility, what is the purpose of primary groups,
> compared to secondary groups?
>
> Said otherwise, why do we have both primary and secondary groups
> rather than only secondary groups?
>
> Yet another phrasing: Why do I need to set a primary group?
>

Secondary groups can only be set, all at once, when running as root (e.g.,
login, sshd), while the primary group can be altered by setgid binaries and
then switched among using set*gid(2).

For filesystem objects like files and directories, the BSD behavior is for
the object to get its group from the directory in which it was created,
ignoring the groups of the process that created it.  On more SysV-like
systems the default is to take the primary group of the process that
created it.  However, for objects that exist in the kernel but not the
filesystem such as pipes, sockets, and SysV shared memory segments,
semaphores, and message queues, the common behavior is to take the primary
group of the process that created it.  This  doesn't have much effect other
than fstat() for pipes and sockets, but for SysV stuff it affects what
operations processes can perform.


Philip Guenther
Reply | Threaded
Open this post in threaded view
|

Re: Purpose of primary and secondary user groups

Bryan Harris-2
On 12/30/2018 12:33 AM, Philip Guenther wrote:

> On Sat, Dec 29, 2018 at 11:29 AM Ipsen S Ripsbusker <
> [hidden email]> wrote:
>
>> Aside from compatibility, what is the purpose of primary groups,
>> compared to secondary groups?
>>
>> Said otherwise, why do we have both primary and secondary groups
>> rather than only secondary groups?
>>
>> Yet another phrasing: Why do I need to set a primary group?
>>
> Secondary groups can only be set, all at once, when running as root (e.g.,
> login, sshd), while the primary group can be altered by setgid binaries and
> then switched among using set*gid(2).
>
> For filesystem objects like files and directories, the BSD behavior is for
> the object to get its group from the directory in which it was created,
> ignoring the groups of the process that created it.  On more SysV-like
> systems the default is to take the primary group of the process that
> created it.  However, for objects that exist in the kernel but not the
> filesystem such as pipes, sockets, and SysV shared memory segments,
> semaphores, and message queues, the common behavior is to take the primary
> group of the process that created it.  This  doesn't have much effect other
> than fstat() for pipes and sockets, but for SysV stuff it affects what
> operations processes can perform.
>
>
> Philip Guenther


Is there also a difference when creating a file in a folder with set GID
bit on that folder and owned by secondary group? I think in normal
behavior, if folder allows a user to create a file (sec. group w/ 770
perm.) then the new file group will not take the group of the folder but
will take the group of the user's primary group. But if you have set GID
bit then the new file will take the group of the folder it's in (which
will be one of the user's secondary groups).


I thought in OpenBSD there is also a flag to mount the filesystem to
always do this regardless of set GID but I can't remember. I don't see
it in the man page so maybe with all of this I'm really thinking of
Linux but I can't remember.


V/r,

Bryan

Reply | Threaded
Open this post in threaded view
|

Re: Purpose of primary and secondary user groups

Philip Guenther
On Sun, Jan 13, 2019 at 6:13 AM Bryan Harris <[hidden email]> wrote:

> Is there also a difference when creating a file in a folder with set GID
> bit on that folder and owned by secondary group? I think in normal
> behavior, if folder allows a user to create a file (sec. group w/ 770
> perm.) then the new file group will not take the group of the folder but
> will take the group of the user's primary group. But if you have set GID
> bit then the new file will take the group of the folder it's in (which
> will be one of the user's secondary groups).
>
> I thought in OpenBSD there is also a flag to mount the filesystem to
> always do this regardless of set GID but I can't remember. I don't see
> it in the man page so maybe with all of this I'm really thinking of
> Linux but I can't remember.
>

Nope.  OpenBSD always uses the BSD behavior.  The use of the SGID bit on
directories to request BSD behavior was an addition in SystemV-based
systems when enough of their devs and users yelled at them to Not Be Stupid
And Provide the Better Behavior.  I'm not sure who or when first added the
mount option.  Linux certainly has both of those, but is not the only one.


Philip Guenther