Reasons behind the default groups and users on Linux

accountsgroupusers

Having a look at the default users & groups management on some usual Linux distributions (respectively ArchLinux and Debian), I'm wondering two things about it and about the consequences of modifying the default setup and configuration.

The default value for USERGROUPS_ENAB in /etc/login.defs seems to be "yes", which is reflected by the "By default, a group will also be created for the new user" that can be found in the useradd man, so each time a new user is created, a group is created with the same name and only this new user in. Is there any use to that or is this just a placeholder?

I'm feeling like we are losing a part of the rights management as user/group/others by doing this. Would it be bad to have a group "users" or "regulars" or whatever you want to call it that is the default group for every user instead of having their own?

Second part of my question, which is still based on what I've seen on Arch and Debian: there are a lot of users created by default (FTP, HTTP, etc.). Is there any use to them or do they only exist for historical reasons?

I'm thinking about removing them but don't want to break anything that could use it, but I have never seen anything doing so, and have no idea what could. Same goes for the default groups (tty, mem, etc.) that I've never seen any user belong to.

Best Answer

Per-user groups

I too don't see a lot of utility in per-user groups. The main use case is if a user wanted to allow "friends" access to their files, they can have the friend user added to their group. Few systems I've encountered actually use it this way.

When USERGROUPS_ENAB in /etc/login.defs is set to "no", useradd adds all the created users to the group defined in /etc/default/useradd by the GROUP field. On most of distributions, this is set to the GID 100 which usually corresponds to the users group. This does allow you to have a more generic management of users. Then, if you need finer control, you can manually add these groups and add users to them that makes sense.

Default created groups

Most of them came about from historic reasons, but many still have valid uses today :

  • disk is the group that owns most disk drive devices
  • lp owns parallel port (and sometimes is configured for admin rights on cups)
  • uucp often owns serial ports (including USB serial ports)
  • cdrom is required for mounting privileges on a cd drive
  • Some systems use wheel for sudo rights; some not
  • etc.

Other groups are used by background scripts. For example, man generates temp files and such when it's run; its process uses the man group for some of those files and generally cleans up after itself.

According to the Linux Standard Base Core Specification though, only 3 users that are root, bin and daemon are absolutely mandatory. The rationale behind the other groups is :

The purpose of specifying optional users and groups is to reduce the potential for name conflicts between applications and distributions.

So it looks as it is better to keep these groups in place. It's theorically possible to remove them without breakage, although for some, "mysterious" things may start to not work right (eg, some man pages not rendering if you kill that group, etc). It doesn't do any harm to leave them there, and it's generally assumed that all Linux systems will have them.

Related Question