Why is the USERGROUPS_ENAB variable in /etc/login.defs set to “no” by default unlike most other Linux distributions which default to “yes”? The result that’s troubling me in my script is that
This allows having group-accesible files by default, which in turn is useful when you want to have common project - set project directory SGID bit and common project files will belong to common group and be accessible by this group.
While you and the OP might see a use for it (and you are not alone, else the feature would not be there), I do not see any reason why it should be “on” as default.
So the answer to thew OP’s question
Why is the USERGROUPS_ENAB variable in /etc/login.defs set to “no” by default unlike most other Linux distributions which default to “yes”?
is probably:
a) because when all distributions would be the same, having distributions would be pointless;
b) it is in my point of view a niche feature, that should thus be there to be switched on by the needed and not by default;
c) I have no idea why it is different in “other Linux distributions”, ask there.
And of course, when one writes scripts, there is always something that one forgot to check first before assuming that it is as one wishes it is. Specialy when you write something that should run on all versions of all distributions (or even on all Unixes). Every file should be checked for existence before usage, every configuration setting should be checked before using it, etc. Life of a programmer is hard
Use the -U option in your script and the user-group is created automatically regardless of the settings in /etc/login.defs:
/usr/sbin/useradd -U uname
From the “useradd” man page:
**-U, --user-group
** Create a group with the same name as the user, and add the user to
this group.
The default behavior (if the **-g**, **-N**, and **-U** options are not
specified) is defined by the **USERGROUPS_ENAB** variable in
/etc/login.defs.
I intend on using the -U option and not depend on USERGROUPS_ENAB being set to “yes”. That being said, there’s something to be said for precedence. If virtually all other Linux distributions have something turned on by default, it’s counterproductive to turn it off by default unless there’s a good reason. I can’t think off and haven’t seen a good reason yet.
Someone could also have made the decision to disable by default based on common security principles…
The first consideration would be how often the setting would be used and then even if it’s required for common functionality.
“Best Practice” is always to disable anything that’s not needed by default, but can also be balanced with convenience and needs of your target audience.
So, in this case even if the mentioned Group is commonly seen elsewhere, if it’s really not essential for common use then enabling by default should be questioned.
The “noname” group wouldn’t be the only commonly seen Group disabled in openSUSE, you’ll also find the “wheel” group missing or disabled as well (from my experience).