Disclaimer

This information HAS errors and is made available WITHOUT ANY WARRANTY OF ANY KIND and without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. It is not permissible to be read by anyone who has ever met a lawyer or attorney. Use is confined to Engineers with more than 370 course hours of engineering.
If you see an error contact:
+1(785) 841 3089
inform@xtronics.com

Default group memberships

Belonging to the correct groups lets users do things. This list should help you decide which groups to join.

• Avahi -allows programs to publish and discover services and hosts running on a local network with no specific configuration.
• crontab - admin of running scheduled programs
• fuse - file systems in user space
• libuuid - used to generate unique identifiers for objects that may be accessible beyond the local system. The Linux implementation was created to uniquely identify ext2 file-systems created by a machine.
• lpadmin - administration of printers
• messagebus - D-BUS message bus daemon. D-BUS is first a library that provides one-to-one communication between any two applications; dbus-daemon-1 is an application that uses this library to implement a message bus daemon.
• ntp - Network time
• powerdev - control of battery - hibernation etc.
• ssh - admin of ssh
• Utempter - is a utility that allows some non-privileged programs to have required root access without compromising system security. Utempter accomplishes this task by acting as a buffer between root and the programs.

• root: Root is (typically) the superuser.
• sasl Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols.
• daemon: Some unprivileged daemons that need to be able to write to some files on disk run as daemon.daemon (portmap, atd, probably others). Daemons that don't need to own any files can run as nobody.nogroup instead, and more complex or security conscious daemons run as dedicated users. The daemon user is also handy for locally installed daemons, probably.
• shadow Password encryption
• bin: maintained for historic reasons.
• gnats - bugtracking
• sys: same as with bin. However, /dev/vcs* and /var/spool/cups are owned by group sys.

• sync: The shell of user sync is /bin/sync. Thus, if its password is set to something easy to guess (such as ""), anyone can sync the system at the console even if they have no account on the system.

• games: Many games are sgid to games so they can write their high score files. This is explained in policy.
• irc Iterrelay chat
• man: The man program (sometimes) runs as user man, so it can write cat pages to /var/cache/man

• lp: Used by printer daemons.

• mail: Mailboxes in /var/mail are owned by group mail, as is explained in policy. The user and group is used for other purposes as well by various MTA's.

• news: Various news servers and other associated programs (such as suck) use user and group news in various ways. Files in the news spool are often owned by user and group news. Programs such as inews that can be used to post news are typically sgid news.

• uucp: The uucp user and group is used by the UUCP subsystem. It owns spool and configuration files. Users in the uucp group may run uucico.

• proxy: Like daemon, this user and group is used by some daemons (specifically, proxy daemons) that don't have dedicated user id's and that need to own files. For example, group proxy is used by pdnsd, and squid runs as user proxy.

• majordom: Majordomo has a statically allocated uid on Debian systems for historical reasons. It is not installed on new systems.

• postgres: Postgresql databases are owned by this user and group. All files in /var/lib/postgresql are owned by this user to enforce proper security.

• www-data: Some web browsers run as www-data. Web content should *not* be owned by this user, or a compromised web server would be able to rewrite a web site. Data written out by web servers, including log files, will be owned by www-data.

• backup: So backup/restore responsibilities can be locally delegated to someone without full root permissions.

• operator: Operator is historically (and practically) the only 'user' account that can login remotely, and doesn't depend on NIS/NFS.

• list: Mailing list archives and data are owned by this user and group. Some mailing list programs may run as this user as well.

• irc: Used by irc daemons. A statically allocated user is needed only because of a bug in ircd -- it setuid()s itself to a given UID on startup.

• gnats.

• nobody, nogroup: Daemons that need not own any files run as user nobody and group nogroup. Thus, no files on a system should be owned by this user or group.

• adm: Group adm is used for system monitoring tasks. Members of this group can read many log files in /var/log, and can use xconsole. Historically, /var/log was /usr/adm (and later /var/adm), thus the name of the group.

• tty: Tty devices are owned by this group. This is used by write and wall to enable them to write to other people's tty's.

• disk: Raw access to disks. Mostly equivalent to root access.

• kmem: /dev/kmem and similar files are readably by this group. This is mostly a BSD relic, but any programs that need direct read access to the system's memory can thus be made sgid kmem.

• dialout: Full and direct access to serial ports. Members of this group can reconfigure the modem, dial anywhere, etc.

• dip: THe group's man stands for "Dialup IP". Being in group dip allows you to use a tool such as ppp, dip, wvdial, etc. to dial up a connection. The users in this group cannot configure the modem, they can just run the programs that make use of it.

• fax: Allows members to use fax software to send / receive faxes.

• voice: Voicemail, useful for systems that use modems as answering machines.

• cdrom: This group can be used locally to give a set of users access to a cdrom drive.

• floppy: This group can be used locally to give a set of users access to a floppy drive.

• tape: This group can be used locally to give a set of users access to a tape drive.

• sudo: Members of this group do not need to type their password when using sudo. See /usr/share/doc/sudo/OPTIONS.

• audio: This group can be used locally to give a set of users access to an audio device.

• src: This group owns source code, including files in /usr/src. It can be used locally to give a user the ability to manage system source code.

• shadow: /etc/shadow is readable by this group. Some programs that need to be able to access the file are set gid shadow.

• utmp: This group can write to /var/run/utmp and similar files. Programs that need to be able to write to it are sgid utmp.

• video: This group can be used locally to give a set of users access to an video device.

• staff: Allows users to add local modifications to the system (/usr/local, /home) without needing root privileges. Compare with group "adm", which is more related to monitoring/security.

• users: While Debian systems use the user group system by default (each user has their own group), some prefer to use a more traditional group system. In that system, each user is a member of the 'users' group.