Worrying Group Policy for those migrating from other distro..

I’m migrating to openSuSE from Kubuntu where each user gets a group who’s id matches their user id. After installing openSuSE 12.2 a few days ago, I notice that this is not the case. Users get put in a user group (id 100) and the user id (1000 for the one created during install). The group id 1000 is not assigned, and will be automatically assigned to the next group created. In my case, it was vboxusers. I didn’t notice this until installing VirtualBox, and now all my files that migrated over with me from my old home are assigned to the group vboxusers.

I caught this soon enough to fix (and hopefully not create any problems down the road) by assigning vboxuser a new grope id and creating group id of 1000 for my user.

I don’t know if this is intentional or an oversight/bug, but it seems it could become a major security hole. I thought the standard Linux policy was to create a matching user/group id pair for each user.

1: It is not a bug.
2: There is no reason for worry.

There are two different philosophies that have been used for group IDs:

(a) Put all users in the same group;
(b) Give each user a unique group;

Ubuntu uses (a), and opensuse uses (b).

The advantages of (a) - simpler group administration.
The risks of (a) none that I know of.

If you make some of your files or directories group writable, then you would be allowing all local users to write to them. However, that is normally a bad idea and is not done in the default permissions. I doubt that Ubuntu does that with its default permissions either, because a lot of software refuses to work if group access is too permissive.

The original purpose of groups: They were intended for group projects. This requires that the system administrator create a special group for each such project, and add particulars uses to that group as an extra group. That use is still possible, though not much done with single user desktop machines.

With philosophy (a), group projects are useless unless a special group is created. For otherwise everybody belongs to the user group.
With philosophy (b), group projects are useless unless either a special group is created or at least the system admin adds addition users to the private group of one user. Without sysadmin intervention, all groups contain only 1 member, so are useless for group projects.

As you can see, it is 6 of one and half a dozen of the other, when it comes to selecting which of those two philosophies.

If you changed for your own system - you did no harm, but there is also no benefit. But I guess you at least had a little practice using the administration tools.

I hope that helps.

I guess it’s the opposite.
I personally use (a) on each distro (including Ubuntu) and don’t use the default group, but create a group (the same on all distros) before creating users. I also create the vboxusers group (among others) before installing VBox and gives it the same gid under each distro.

You are right. I had that last line backwards - (a) and (b) reversed.

On 09/12/2012 02:16 AM, suseconvert wrote:
> migrating to openSuSE from Kubuntu

in addition to this difference, there are others…you may find it
beneficial to have a look at these (even though they are specific Ubuntu
→ openSUSE differences, i suspect they also apply to Kbuntu → openSUSE):


OH! and someone with the necessary Debian knowledge (like suseconvert)
should/could update one of those to include this group policy difference!

dd http://goo.gl/PUjnL