Having a look at the default users & groups management on some usual Linux distributions (respectively ArchLinux and Debian), I'm wondering two things about it and about the consequences of modifying the default setup and configuration.
The default value for USERGROUPS_ENAB
in /etc/login.defs
seems to be "yes", which is reflected by the "By default, a group will also be created for the new user" that can be found in the useradd
man, so each time a new user is created, a group is created with the same name and only this new user in. Is there any use to that or is this just a placeholder?
I'm feeling like we are losing a part of the rights management as user/group/others by doing this. Would it be bad to have a group "users" or "regulars" or whatever you want to call it that is the default group for every user instead of having their own?
Second part of my question, which is still based on what I've seen on Arch and Debian: there are a lot of users created by default (FTP, HTTP, etc.). Is there any use to them or do they only exist for historical reasons?
I'm thinking about removing them but don't want to break anything that could use it, but I have never seen anything doing so, and have no idea what could. Same goes for the default groups (tty, mem, etc.) that I've never seen any user belong to.
Best Answer
Per-user groups
I too don't see a lot of utility in per-user groups. The main use case is if a user wanted to allow "friends" access to their files, they can have the friend user added to their group. Few systems I've encountered actually use it this way.
When
USERGROUPS_ENAB
in/etc/login.defs
is set to "no",useradd
adds all the created users to the group defined in/etc/default/useradd
by theGROUP
field. On most of distributions, this is set to the GID100
which usually corresponds to theusers
group. This does allow you to have a more generic management of users. Then, if you need finer control, you can manually add these groups and add users to them that makes sense.Default created groups
Most of them came about from historic reasons, but many still have valid uses today :
Other groups are used by background scripts. For example,
man
generates temp files and such when it's run; its process uses the man group for some of those files and generally cleans up after itself.According to the Linux Standard Base Core Specification though, only 3 users that are root, bin and daemon are absolutely mandatory. The rationale behind the other groups is :
So it looks as it is better to keep these groups in place. It's theorically possible to remove them without breakage, although for some, "mysterious" things may start to not work right (eg, some man pages not rendering if you kill that group, etc). It doesn't do any harm to leave them there, and it's generally assumed that all Linux systems will have them.