Why must a user in POSIX-compliance have a Primary Group? Why can't they just belong to groups?
The signifance of the Primary Group of a user
groupusers
Related Solutions
The reason (the only reason, as far as I know) to put users in a group of their own is to make umask 002
or umask 007
a sensible default.
The umask is a mask for the default permissions of newly created files. The meaning of the digits are the same as in chmod
; the first digit is for the user, the second for the group, and the third for others. If a bit is 1 in the umask, it is removed (masked) from the permissions of the newly created file. For example, if an application creates a non-executable file with no particular privacy requirement¹, it will pass 666 as the file permissions, and the application of the umask 002 will result in a file with permissions 664 (0666 & ~002
in C-like notation), i.e. a file which is readable by everyone and writable only by the user and group (rw-rw-r--
).
With the umask 022, files are world-readable by default but only writable by their author. With the umask 002, files are additionally writable by the group that owns them. If users's primary group is one where they are the only user, and the umask is 002, then:
- By default, files are only writable by their author, because although the permissions are
rw-rw-r--
, there is no other user in the group that has write permissions. - To allow a file to be modified by members of a group, the author only needs to make it owned by that group with
chgrp
. This can even happen automatically if the file is created in a directory with the setgid bit or an equivalent ACL.
The advantage over the 022 umask is that in that setting, in order to make a file editable by users, the author must do two things: set the group, and extend the permissions (chmod g+w
). People tend to forget this second step (or sole step, in a setgid directory).
¹ Examples of files with particular privacy requirements: encryption keys; emails; any file in a public directory such as /tmp
.
The error you're getting is a limitation of the way groupdel was written and the fact that the system is designed around numbers (IDs) and not names. As you can see in source code of groupdel, it only checks if there's a user having the GID you want to delete, as its primary group. It doesn't matter if there's another group having the same ID, but named differently.
/* [ Note: I changed the style of the source code for brevity purposes. ]
* group_busy - check if this is any user's primary group
*
* group_busy verifies that this group is not the primary group
* for any user. You must remove all users before you remove
* the group.
*/
static void group_busy (gid_t gid)
{
struct passwd *pwd;
/* Nice slow linear search. */
setpwent ();
while ( ((pwd = getpwent ()) != NULL) && (pwd->pw_gid != gid) )
;
endpwent ();
/* If pwd isn't NULL, it stopped because the gid's matched. */
if (pwd == (struct passwd *) 0)
return;
/* Can't remove the group. */
fprintf (stderr,
_("%s: cannot remove the primary group of user '%s'\n"),
Prog, pwd->pw_name);
exit (E_GROUP_BUSY);
}
So you either you mess with the configuration files using other tools like Perl in mtm's answer or you temporarily change the GID of that user so that group_busy
doesn't fail anymore.
Best Answer
The primary group is assigned to files created by that user...