User Groups/UNIX Groups

Table of Contents

About UNIX Groups

Unix groups can be used to share files with CS department users. Each user on the CS public machines is associated with a list containing at least one group, and each file or directory on the CS public machines is associated with exactly one group. This is usually referred to as group membership and group ownership, respectively. That is, users are in groups and files are owned by a group.

Users are automatically added to one group during account creation. Maintaining group membership is handled by CS Staff, except for course account groups ("cosNNN"). If you need to be added to or removed from a non-course group, please have a current member of that group send an email to csstaff@cs.princeton.edu with the group name and action needed.

Managing group ownership of files and directories requires some action by the user. All files or directories are owned by the user who created them. In addition to being owned by a user, each file or directory is owned by a group. It is important to have group ownership correct, if you ever want to share files with your group. Group ownership does not imply group access; you must set the file access permissions so your group can use the files. Permissions can be set to restrict the type of access that group members have to your directories and files. You can use different Unix groups to share files with different sets of users.

Unix Group Membership

Users are organized into groups, where every user is in at least one group, and may be in other groups. Group membership can give you special access to files and directories belonging to that group.

Every user is in a primary (login) group and may be in several secondary groups. The user is said to be in a group if the group name is in their list of groups. You do not have to be logged on to be in a group. When you are logged on you are assigned a group which is called your current group. You can see your group list or the group list of any user with the groups command. For example:

opus% groups cmmiller
cmmiller : csstaff project1 project2

lists all the groups for cmmiller, the first group is the primary group. If you just type groups you will get your own groups.

Note: Unix systems (using NFS) only allow membership in 16 total groups. If you see 16 or more groups in your list, you may experience problems accessing files for some groups.

Group ownership of Files and Directories

Every file and directory has a username and a groupname associated with it. There are commands for managing group ownership for both directories and files. In the example commands even in this document we use filename to indicate the name of a file, but in most cases you can use the same command with the name of a directory.

The long format of the listing command gives the permission bits, the owner, and the group for both files and directories. Use the ls -dl filename command to get a one-line listing of a single file or directory. The command ls (or ls -l) will list all the files and directories in your current directory. The ones beginning with a "d" are directories.

When a file or directory is first created it takes as its group the current group of your shell. This is the default group for all login shells, but you can start another shell with any group using the command 'newgrp project'. If you are going to create files for a secondary group then it easier to create all these files from a shell started with the newgrp command.

If you want to change the group associated with a file or directory which already exists use the command 'chgrp project filename'. You must be the owner of the file, and you must be a member of the new group in order to make the change.

In many cases the group ownership does not matter, but if you want to share a file with a group, then it is important that you get the ownership correct. Otherwise you may be inviting all users to put their large files in your directory.

Group permissions of Files and Directories

Just setting up a file to be owned by a group does not give your group any access to the file. Granting and limiting access is done by setting appropriate permission bits. You can see the permission bits as a set of 10 letters or dashes in the long listing of a file or directory using the 'ls -dl' command. The -dl option on the ls command will list the information for the directory or file in long format. Without the "d" all the files in the directory would be listed instead of just the directory you asked for. For example to get a long listing for a directory with the name test

tux% ls -dl test
drwxr-x---   3 cmmiller   csstaff         512 Sep 21 12:23 test

The first string of characters are the mode, the next is a link count (see 'info ls' for details), the third field is the owner and the fourth field is the group which owns the file.

mode: drwxr-x---

Begins with a "d", which indicates this is a directory. The owner, cmmiller, has permission bits rwx which is full access. Any other user in group csstaff has permission bits r-x which is browsing access (can read and search without permission to add, rename or delete files in the directory.) Every other user, that is not cmmiller and not in group csstaff has permission bits --- which is no access.

count: 3

There are three files in this directory. The count is usually one if you are listing a file.

username: cmmiller

The user with login name cmmiller is the owner of the file. The owner will have permission modes according the the first three codes after the "d". The owner always can change permission modes with the chmod command.

groupname: csstaff

The directory is said to be owned by this group. Any user in group csstaff, except cmmiller, will have permissions granted according to the middle three codes in the permission modes.

UNIX Commands for Working with Groups

Command Description Example
groups See groups to which you belong with primary group first groups
id See current group as part of your id id
newgrp Start a shell in a different group newgrp project1
chmod Change permissions for directories and files chmod g+rwx myfile
chgrp Change group ownership of directories and files chgrp project1 myfile
ls List file permissions ls -l

The first group in the groups list is your primary group.

  • You are automatically assigned to a primary group when your userid is created. This primary group is the group assigned to any login shell. It is also called your default group. This will be your current group at your next login.
     
  • Use the groups command to see which groups you belong to:
    tux% groups 
    csstaff project1 project2
    

    The first group which is listed is your primary group. That may be the only group to which you belong.

  • Use the id to see your current group which is part of your identification. Your current group is the group name after the gid=number.
    tux% id
    uid=17326(cmmiller) gid=910(csstaff) groups=910(csstaff),20001(project1),20002(project2)
    

    The current group is csstaff.

  • When you login, you are automatically given your primary group as your current group. If you belong to other groups, you can use the newgrp command to start a new shell with a different current group. For example, suppose you are a member of the project1 group, then you can use the following command to start a new shell in that group:
    <5>% newgrp project1
    <1>% groups
    guest test
    <2>% id
    uid=17326(cmmiller) gid=20001(project1) groups=910(csstaff),20001(project1),20002(project2)
    <3>% exit
    exit
    <6>% id
    uid=17326(cmmiller) gid=910(csstaff) groups=910(csstaff),20001(project1),20002(project2)
    

    Use the exit command to exit the shell and your current group will be restored to what it was before the newgrp command.

  • You can use the chmod command to set permission bits for selected directories and files. In general, you need to set at least read and execute permissions for the directories and read permissions for the files.

    The command syntax to enable all members of a group to read some file is:

    chmod g+r filename
    

    where filename is the name of the file you want to share. The file is now readable to the group associated with the file filename.

    Once you check to make sure a directory and all its files and sub-directories are owned by the correct group you can set the permission modes for everything with the one command

    chmod -R g+rX dirname
    

    where dirname is the name of the directory that contains the files you want to share.

    The chmod command can also be used to allow members of a group to put files in a directory. The owner of the directory can open a directory for shared writing with the command:

    chmod g=swrx,+t dirname
    

    where dirname is the name of the directory you want members of your group to create files in. The "s" is the group set-ID setting, which means all new files in this group will be owned by the user putting them there, but the group ownership will be set to match the group of the directory rather than the current group of the owner. This is the recommended way to keep group ownerships correct. The "+t" makes this a sticky directory. This means only the owner of a file (or the owner of the directory) can delete or rename a file. This is recommended if several users will be putting files in the same directory.

  • Use the chgrp command to change group ownership of a directory or file. You need to use this command to share files with users who are in the same UNIX group as you, when that group is not your primary group. The syntax for the chgrp command is:
    chgrp groupname filename
    

    where groupname is the name of the group with which you would like to share a file named filename.

    Whereas the chmod command determines the type of access that group members may have to a file or directory, the chgrp command determines which group may access that file or directory.

  • Use the ls command to get a long formatted listing of a file or directory.
    ls -l
    

    will list all the files and directories in the current directory. You can use this command to verify that:

    1. the files which you want to share have at least read permissions;
    2. all of the directories in the search path for those files have at least execute permissions;
    3. those files are owned by the group with which you want to share.

Troubleshooting

You can use a UNIX group to share an unlimited number of files on an ongoing basis with others who have a CS UNIX account and are members of the same UNIX group.

One of the most common mistakes in sharing files on a UNIX system is to forget to set file permissions or to set them incorrectly. If permissions are not set correctly, then a user will see the following message or a similar one when they try to access your directory or files:

Permission Denied

  1. Make sure you have a proper group for sharing. You must have a group to which both of you belong.You can check this with the command 'groups $USER username' where the second username is the user name of the user who got the "permission denied" message. You must pick a group on both lists. For example I want to share with the user jrc
    tux% groups $USER jrc
    cmmiller : csstaff project1 project2
    ​jrc : csstaff project2 project3
     

    csstaff or project2 are good group names since both users are in those groups.

  2. Check to make sure the correct group owns the file with the ls -dl filename command. You should see this groups in the long formatted list as the group name.
    <2>% ls -dl myfile
    -rw-r-----   1 cmmiller   project2           0 Sep 21 19:22 myfile
    
  3. Check to make sure the "r" code appears in the middle three permission modes, in this same ls command. If this is not correct type:
    chmod g+r myfile
  4. Finally check to make sure every directory above your current directory has the "x" (or "s") permission in at least the fourth and seventh bits. This is called execute permission for owner and group, or symbolically "ug+x". You can use the . as the current directory and .. for parent directory to list several levels
    tux% ls -dl . .. ../.. ../../..
    drwxrws---   2 cmmiller   project2        444 Sep 12 12:00 .
    drwxrws---   3 cmmiller   csstaff         444 Sep 14 11:11 ..
    drwxr-xr-x  84 cmmiller   csstaff        9000 Sep 21 14:33 ../..
    drwxr-xr-x 198 root       root           4000 Sep 25 12:22 ../../..
    

Another common problem is to set file permissions for existing files, but to neglect to set permissions for newly created files. By default, others cannot access your files. You must give explicit permissions to each file when it is created.