Sunday, December 9, 2007

Give a user a new group

So, you have someone who just got a new position within your organization and now s/he needs additional permissions on the server. It makes more sense to give people permissions based on their position rather than on their user. That way, you can give and take exactly the right group of permissions for the position based on a well thought out policy rather than a spur of the moment, "I think they need x to get things done today," sort of thing.

A perfect example of this is sudoers privileges. You can give specific root-type abilities to users or groups of users in the /etc/sudoers file. Another example of this is when you make a certain folder owned by a specific group and have people write to it as *themselves.thatGroup.

You want to use usermod to add a new group to a user, but the problem is that when you use -G to add additional groups, it takes the list that you give it and erases whatever was on the list before. The solution is to add -a for append like this:

usermod -G groupname -a username

Now your user won't lose any of the old groups s/he had, but s/he will get the new one that they need.

*NB: There are a couple of notations for username and groupname for ownership on *Nix. One is username.groupname. The other is username:groupname They are often interchangeable on a single OS or distro, but sometimes you can only use one or the other for commands like chown.

1 comment:

Shlomi Fish said...

What a coincidence! I just learned about this trick yesterday when I was working on my newly installed Archlinux system. I looked for it because I was warned that I added a group in /etc/group and not in another file.