user & group administration-dialout, video, users

Hi,

I’m curious what others would recommend as to other safe additional groups to belong to here.

The group, default users, belongs to dialout, video, and if one clicks on “edit” “details” one can see “video” and “dialout” ticked. (hmmm, though “users” is not ticked here.)

I plan to listen to audio cd’s and watch video DVD’s. In other lnx distributions I have used, often wheel, cdrom, audio, and users is ticked for additional groups, and sometimes disks as well, though I read at one bug report that one said it wasn’t a good idea to add disk.

My setup is openSUSE 11.1 for 64-bit processor. I have installed (well, actually re-installed) with user with own password not given administrative privileges and a separate root password.

I looked over some posts on the subject, but they are vague additional groups

Orba (oh, forgot to add, it is KDE4 desktop environment)

It is certainly not a good idea to add disk. We just had a user overwriting his file system with a file. This was done either by him being root, or by his normal user that was added to the disk group.

I never changed something in this respect and can listen/look (but I have no need to dial-out). This is 10.3, but this principle should work on 11.x also imho.

Hi Henk,

I wondered why it wasn’t a good idea to have disk added to additional groups for users. That certainly answers my question!

I forgot to mention that I use an external 56k modem, so I do need dialout ticked.

Thanks again for your feedback! I appreciate it.
Orba

Sorry, but I don’t understand the problem with adding users to the disk group; the DVD/CD drives belong to the disk group and therefore users can only use the DVD/CD if they are also part of the disk group.

I added all my users to the disk group immediately after installing and everything has been fine.

Right john_hudson. If you’re not a member of ‘disk’ you cannot burn CD’s or DVD’s. k3BSetup even sets the perms of /dev/sr0 to 664 …

But indeed, the risk is that a normal user could do less funny things.

I am still on 10.3. My normal uid is NOT a mentioned in the disk group. I can burn with k3b.

I also understood that there is a bug somewhere in 11.1 (11.0?). Searching in the forum must help here. The opinion of some people (including me) is that breaking down security to by-pass the bug is not very clever. Specialy as you do not write with big letters on the wall: **Change this back as soon as the bug is patched! **Most people will be just happy that it “works again” without even understanding the consequences. At least one of them now does understand. :frowning:

And as orba shows, there are already posts around that simply say: add your username to the diskgroup.

Yes, there are a few threads, and even a blog or two about adding “disk” to additional groups. One example where it is mentioned about a variation of the bug fix (in the patch as of January) is here: cannot_mount_cdrom
My bug problem with 11.1 kde4 for 64 bit is that no audio cd is recognized by Dolphin. although I can play it with Kaffeine and KsCD. I’ve read replies to suggest adding disk and cdrom to additonal groups, but it didn’t fix the problem. I think it is a udev glitch and am waiting for this fix to appear as a patch. At least I can play the cd’s. (Edited to add, that it isn’t a permission problem as the same thing happens if I log in as root and insert an audio cd.)

What I really need to do is find a good basic write up on this part of the LINUX system, users groups management is a mystery to me, but I will do some searching on the subject. I’m still tempted to tick “users” under, additional groups, or at least I would think that would be ticked as the “default group for new users” is “users”, but it isn’t ticked under the additional groups section as well. Just a bit confused about that one.

Thanks for the feedback!
Orba

If an account’s primary group is already “users”, adding “users” to the supplementary groups won’t make any difference. So new (human) users do not need to get a supplementary group of “users” they are already in “users” as their primary group. The effective set of groups for an account is the union of the primary and the supplementary groups.

Not much to add to ken_yap.

The primary user is found in the users entry in /etc/passwd. That is the one tied to your processes when you log in. So when you create files they will get that group.

The user can also change the group its processes run with, with the *newgrp *command. But IMHO there is not much usage for it.

When curious look for terms like “real and effective group ID”.

Thanks Ken and Henk. That had me curious and wondering if it was a mess up in the User management GUI.

And thanks for the keywords to do a search for. This is of much help and appreciated!
This post can be marked solved if needs be.

Orba