Per-user groups
I too don't see a lot of utility in per-user groups. The main use case is if a user wanted to allow "friends" access to their files, they can have the friend user added to their group. Few systems I've encountered actually use it this way.
When USERGROUPS_ENAB
in /etc/login.defs
is set to "no", useradd
adds all the created users to the group defined in /etc/default/useradd
by the GROUP
field. On most of distributions, this is set to the GID 100
which usually corresponds to the users
group.
This does allow you to have a more generic management of users. Then, if you need finer control, you can manually add these groups and add users to them that makes sense.
Default created groups
Most of them came about from historic reasons, but many still have valid uses today :
- disk is the group that owns most disk drive devices
- lp owns parallel port (and sometimes is configured for admin rights on cups)
- uucp often owns serial ports (including USB serial ports)
- cdrom is required for mounting privileges on a cd drive
- Some systems use wheel for sudo rights; some not
- etc.
Other groups are used by background scripts. For example, man
generates temp files and such when it's run; its process uses the man group for some of those files and generally cleans up after itself.
According to the Linux Standard Base Core Specification though, only 3 users that are root, bin and daemon are absolutely mandatory. The rationale behind the other groups is :
The purpose of specifying optional users and groups is to reduce the potential for name conflicts between applications and distributions.
So it looks as it is better to keep these groups in place. It's theorically possible to remove them without breakage, although for some, "mysterious" things may start to not work right (eg, some man pages not rendering if you kill that group, etc). It doesn't do any harm to leave them there, and it's generally assumed that all Linux systems will have them.
Best Answer
Very interesting attempt. Actually, process's supplementary groups (defined in
/etc/group
) are set bysetgroups
system call. It requiresCAP_SETGID
privilege or being root.So you can do like this: