Sidebar 1: Supplementary GroupsIn addition to the group specified in the /etc/passwd file for a login name, HP-UX (and other UNIX flavors) allows a user to belong to additional groups. The maximum is NGROUPS_MAX (defined in <sys/param.h>) = 20. It can be done by typing:
# getconf NGROUPS_MAXIf you intend to increase that value, it is not so easy: 1. Change the value used by the kernel: in /usr/conf/h/param.h. 2. Rebuild the kernel. Most of time, this will not work because all the commands are compiled with the old value. You can, of course, use your own programs (or try to recompile the commands if you work with Linux for example, where you have the full source code). To have the benefit of that group feature, it is necessary to hard link /etc/group and /etc/logingroup:
# ln /etc/group /etc/logingroup(By the way, “logingroup” is also used by NIS). For example, let's suppose that we have the three following entries in /etc/group:
bin::2:root,bin,jane adm::4:root,adm,jane users::20:bill,janeFrom /etc/passwd, the user “jane” has the group 300 (dev). If /etc/logingroup is linked to /etc/group, we have:
# id jane uid=112(jane) gid=300(dev) groups=2(bin),4(adm),20(users)It means that “jane” has write permissions for the following file:
-rw-rw-r-- 1 root bin 91520 Jul 28 15:20 data1because she belongs to the group “bin” as well. Likewise, it is easy to define a group “admin” with some executable permissions: Entry in /etc/group:
admin::350:carolyn,henry,jane,billAbove users will be the only ones (+ root) to be able to run such a program:
---s--x--- 1 root admin 20345 Jan 2 15:20 tool1with the root privileges and without knowing the root password. See Listing 3, too. |