What is the Debian counterpart of the admin group, and what group on Debian makes files accessible to only the owner and the administrators?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
4
down vote

favorite












Debian vs Mac OS X regarding the admin group



On Mac OS X, in order to make a file accessible to only the owner and the administrators, I set the group of the file to admin, and set the permission mode of the file to something like 770 (rwxrwx---), 750 (rwxr-x---) or 640 (rw-r-----).



chgrp admin FILE

chmod 750 FILE
# or
chmod 770 FILE
# or
chmod 640 FILE
# or
chmod g+r,o-rwx FILE


Thus, ls -la FILE outputs something like the following, where bob is the owner.



rwxr-x--- bob admin


However, Debian lacks the admin group. What is the Debian counterpart of the admin group? What group on Debian makes files accessible to only the owner and the administrators (after chmod has removed rwx from others)?



By the command id -Gn, administrators on Mac OS X seem to belong to the admin group, while administrators on Debian seem to belong to the sudo group. Is the sudo group on Debian equivalent to the admin group on Mac OS X?



I hesitate to set the group of the file to sudo. The command find / -group sudo reveals that absolutely no files on Debian have the group sudo by default. In contrast, the command find / -group admin reveals that many files on Mac OS X have the group admin by default. So, it seems that the sudo group on Debian is not really equivalent to the admin group on Mac OS X.







share|improve this question




















  • if by "the adminitrators" you mean the people who can "sudo" as root, then don't bother giving files a group for them: id 0 can access everything (unless a specific meta-access (or also an selinux thingy) prevents them access). Use the group for the group (for ex, the team) of the user, not for "the admins"
    – Olivier Dulac
    Dec 6 '17 at 10:04











  • What the OP is probably looking for is the closest equivalent to an UAC-controlled administrator on a windows system, or the functional copy that ubuntu integrated into their supported GUIs...
    – rackandboneman
    Dec 6 '17 at 14:17














up vote
4
down vote

favorite












Debian vs Mac OS X regarding the admin group



On Mac OS X, in order to make a file accessible to only the owner and the administrators, I set the group of the file to admin, and set the permission mode of the file to something like 770 (rwxrwx---), 750 (rwxr-x---) or 640 (rw-r-----).



chgrp admin FILE

chmod 750 FILE
# or
chmod 770 FILE
# or
chmod 640 FILE
# or
chmod g+r,o-rwx FILE


Thus, ls -la FILE outputs something like the following, where bob is the owner.



rwxr-x--- bob admin


However, Debian lacks the admin group. What is the Debian counterpart of the admin group? What group on Debian makes files accessible to only the owner and the administrators (after chmod has removed rwx from others)?



By the command id -Gn, administrators on Mac OS X seem to belong to the admin group, while administrators on Debian seem to belong to the sudo group. Is the sudo group on Debian equivalent to the admin group on Mac OS X?



I hesitate to set the group of the file to sudo. The command find / -group sudo reveals that absolutely no files on Debian have the group sudo by default. In contrast, the command find / -group admin reveals that many files on Mac OS X have the group admin by default. So, it seems that the sudo group on Debian is not really equivalent to the admin group on Mac OS X.







share|improve this question




















  • if by "the adminitrators" you mean the people who can "sudo" as root, then don't bother giving files a group for them: id 0 can access everything (unless a specific meta-access (or also an selinux thingy) prevents them access). Use the group for the group (for ex, the team) of the user, not for "the admins"
    – Olivier Dulac
    Dec 6 '17 at 10:04











  • What the OP is probably looking for is the closest equivalent to an UAC-controlled administrator on a windows system, or the functional copy that ubuntu integrated into their supported GUIs...
    – rackandboneman
    Dec 6 '17 at 14:17












up vote
4
down vote

favorite









up vote
4
down vote

favorite











Debian vs Mac OS X regarding the admin group



On Mac OS X, in order to make a file accessible to only the owner and the administrators, I set the group of the file to admin, and set the permission mode of the file to something like 770 (rwxrwx---), 750 (rwxr-x---) or 640 (rw-r-----).



chgrp admin FILE

chmod 750 FILE
# or
chmod 770 FILE
# or
chmod 640 FILE
# or
chmod g+r,o-rwx FILE


Thus, ls -la FILE outputs something like the following, where bob is the owner.



rwxr-x--- bob admin


However, Debian lacks the admin group. What is the Debian counterpart of the admin group? What group on Debian makes files accessible to only the owner and the administrators (after chmod has removed rwx from others)?



By the command id -Gn, administrators on Mac OS X seem to belong to the admin group, while administrators on Debian seem to belong to the sudo group. Is the sudo group on Debian equivalent to the admin group on Mac OS X?



I hesitate to set the group of the file to sudo. The command find / -group sudo reveals that absolutely no files on Debian have the group sudo by default. In contrast, the command find / -group admin reveals that many files on Mac OS X have the group admin by default. So, it seems that the sudo group on Debian is not really equivalent to the admin group on Mac OS X.







share|improve this question












Debian vs Mac OS X regarding the admin group



On Mac OS X, in order to make a file accessible to only the owner and the administrators, I set the group of the file to admin, and set the permission mode of the file to something like 770 (rwxrwx---), 750 (rwxr-x---) or 640 (rw-r-----).



chgrp admin FILE

chmod 750 FILE
# or
chmod 770 FILE
# or
chmod 640 FILE
# or
chmod g+r,o-rwx FILE


Thus, ls -la FILE outputs something like the following, where bob is the owner.



rwxr-x--- bob admin


However, Debian lacks the admin group. What is the Debian counterpart of the admin group? What group on Debian makes files accessible to only the owner and the administrators (after chmod has removed rwx from others)?



By the command id -Gn, administrators on Mac OS X seem to belong to the admin group, while administrators on Debian seem to belong to the sudo group. Is the sudo group on Debian equivalent to the admin group on Mac OS X?



I hesitate to set the group of the file to sudo. The command find / -group sudo reveals that absolutely no files on Debian have the group sudo by default. In contrast, the command find / -group admin reveals that many files on Mac OS X have the group admin by default. So, it seems that the sudo group on Debian is not really equivalent to the admin group on Mac OS X.









share|improve this question











share|improve this question




share|improve this question










asked Dec 6 '17 at 5:24









i7pj3qnuz

663




663











  • if by "the adminitrators" you mean the people who can "sudo" as root, then don't bother giving files a group for them: id 0 can access everything (unless a specific meta-access (or also an selinux thingy) prevents them access). Use the group for the group (for ex, the team) of the user, not for "the admins"
    – Olivier Dulac
    Dec 6 '17 at 10:04











  • What the OP is probably looking for is the closest equivalent to an UAC-controlled administrator on a windows system, or the functional copy that ubuntu integrated into their supported GUIs...
    – rackandboneman
    Dec 6 '17 at 14:17
















  • if by "the adminitrators" you mean the people who can "sudo" as root, then don't bother giving files a group for them: id 0 can access everything (unless a specific meta-access (or also an selinux thingy) prevents them access). Use the group for the group (for ex, the team) of the user, not for "the admins"
    – Olivier Dulac
    Dec 6 '17 at 10:04











  • What the OP is probably looking for is the closest equivalent to an UAC-controlled administrator on a windows system, or the functional copy that ubuntu integrated into their supported GUIs...
    – rackandboneman
    Dec 6 '17 at 14:17















if by "the adminitrators" you mean the people who can "sudo" as root, then don't bother giving files a group for them: id 0 can access everything (unless a specific meta-access (or also an selinux thingy) prevents them access). Use the group for the group (for ex, the team) of the user, not for "the admins"
– Olivier Dulac
Dec 6 '17 at 10:04





if by "the adminitrators" you mean the people who can "sudo" as root, then don't bother giving files a group for them: id 0 can access everything (unless a specific meta-access (or also an selinux thingy) prevents them access). Use the group for the group (for ex, the team) of the user, not for "the admins"
– Olivier Dulac
Dec 6 '17 at 10:04













What the OP is probably looking for is the closest equivalent to an UAC-controlled administrator on a windows system, or the functional copy that ubuntu integrated into their supported GUIs...
– rackandboneman
Dec 6 '17 at 14:17




What the OP is probably looking for is the closest equivalent to an UAC-controlled administrator on a windows system, or the functional copy that ubuntu integrated into their supported GUIs...
– rackandboneman
Dec 6 '17 at 14:17










2 Answers
2






active

oldest

votes

















up vote
9
down vote













For file ownership purposes, the closest equivalent, among the groups which are created by default in Debian, is likely the adm group.



On Linux systems, groups tend(ed) to be finer-grained: thus a sudo group granting access to root via sudo (but not exclusively, since users can be granted access individually), an adm group granting access to certain log files, etc. See the Debian wiki for a list of these system groups.



You could always create your own admin group and use it for the purpose you’re describing; you don’t have to limit yourself to the system groups.






share|improve this answer






















  • Indeed, thanks! I’ve fixed that.
    – Stephen Kitt
    Dec 6 '17 at 7:49










  • Normally adm on Linux is only for log file access; the IT admin group would be sudo or wheel. Debian also has staff for file ownership.
    – grawity
    Dec 6 '17 at 8:45






  • 2




    @grawity the problem with sudo, wheel and staff is that they grant significant permissions (respectively, the ability to become root, the ability to run su if pam_wheel is set up, and the ability to write to /usr/local — admittedly that’s just part of being an administrator, but it might be more than the OP is after). adm can be extended to other purposes without too many side-effects (beyond granting access to log files of course).
    – Stephen Kitt
    Dec 6 '17 at 9:03


















up vote
0
down vote













If by "the administrators" you mean people who can, if needed, become root (or who just have access to some needed administrator commands as root) using sudo (and sudoers file), then don't bother using that "admin" group as the group on the user's files : root (id 0) can access almost everything.



Use the "group" part to specifi which group (or "team") is also susceptible to get some kind of access to that user's file/dir.



For exemple: a user (foo) is part of a team (teambar).



For foo files, you could : chown foo:teambar teambarfile(s) and teambardirs, and then chmod 600 personnal_files ; chmod 700 personnal_dirs ; chmod 640 ~/teambarsubdirs/teambarfiles ; chmod 750 ~ ~/teambarsubdirs ~/teambardirs/executables




  • Ie, for all "team dirs" and "team files":



    • give those files full access to the owner (= foo)(rw, and also x if needed [diretories, and executables])

    • Give the appropriate access to the team (r only? rx if executable or dir?)

    • restrict access to Others (ie not foo nor members of

    • And don't worry: the admins will be able to access it if needed.


  • and for "personnal files and dirs": just foo can read/write (/exec) those files and dirs

(don't forget that if the team files/dirs are under some hierarchy, the team needs to be able to access that hierarchy, so usually top-level dirs above needs to grant them "r & x" access too.)






share|improve this answer






















    Your Answer







    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f409102%2fwhat-is-the-debian-counterpart-of-the-admin-group-and-what-group-on-debian-make%23new-answer', 'question_page');

    );

    Post as a guest






























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    9
    down vote













    For file ownership purposes, the closest equivalent, among the groups which are created by default in Debian, is likely the adm group.



    On Linux systems, groups tend(ed) to be finer-grained: thus a sudo group granting access to root via sudo (but not exclusively, since users can be granted access individually), an adm group granting access to certain log files, etc. See the Debian wiki for a list of these system groups.



    You could always create your own admin group and use it for the purpose you’re describing; you don’t have to limit yourself to the system groups.






    share|improve this answer






















    • Indeed, thanks! I’ve fixed that.
      – Stephen Kitt
      Dec 6 '17 at 7:49










    • Normally adm on Linux is only for log file access; the IT admin group would be sudo or wheel. Debian also has staff for file ownership.
      – grawity
      Dec 6 '17 at 8:45






    • 2




      @grawity the problem with sudo, wheel and staff is that they grant significant permissions (respectively, the ability to become root, the ability to run su if pam_wheel is set up, and the ability to write to /usr/local — admittedly that’s just part of being an administrator, but it might be more than the OP is after). adm can be extended to other purposes without too many side-effects (beyond granting access to log files of course).
      – Stephen Kitt
      Dec 6 '17 at 9:03















    up vote
    9
    down vote













    For file ownership purposes, the closest equivalent, among the groups which are created by default in Debian, is likely the adm group.



    On Linux systems, groups tend(ed) to be finer-grained: thus a sudo group granting access to root via sudo (but not exclusively, since users can be granted access individually), an adm group granting access to certain log files, etc. See the Debian wiki for a list of these system groups.



    You could always create your own admin group and use it for the purpose you’re describing; you don’t have to limit yourself to the system groups.






    share|improve this answer






















    • Indeed, thanks! I’ve fixed that.
      – Stephen Kitt
      Dec 6 '17 at 7:49










    • Normally adm on Linux is only for log file access; the IT admin group would be sudo or wheel. Debian also has staff for file ownership.
      – grawity
      Dec 6 '17 at 8:45






    • 2




      @grawity the problem with sudo, wheel and staff is that they grant significant permissions (respectively, the ability to become root, the ability to run su if pam_wheel is set up, and the ability to write to /usr/local — admittedly that’s just part of being an administrator, but it might be more than the OP is after). adm can be extended to other purposes without too many side-effects (beyond granting access to log files of course).
      – Stephen Kitt
      Dec 6 '17 at 9:03













    up vote
    9
    down vote










    up vote
    9
    down vote









    For file ownership purposes, the closest equivalent, among the groups which are created by default in Debian, is likely the adm group.



    On Linux systems, groups tend(ed) to be finer-grained: thus a sudo group granting access to root via sudo (but not exclusively, since users can be granted access individually), an adm group granting access to certain log files, etc. See the Debian wiki for a list of these system groups.



    You could always create your own admin group and use it for the purpose you’re describing; you don’t have to limit yourself to the system groups.






    share|improve this answer














    For file ownership purposes, the closest equivalent, among the groups which are created by default in Debian, is likely the adm group.



    On Linux systems, groups tend(ed) to be finer-grained: thus a sudo group granting access to root via sudo (but not exclusively, since users can be granted access individually), an adm group granting access to certain log files, etc. See the Debian wiki for a list of these system groups.



    You could always create your own admin group and use it for the purpose you’re describing; you don’t have to limit yourself to the system groups.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited Dec 6 '17 at 9:07

























    answered Dec 6 '17 at 5:44









    Stephen Kitt

    143k22310374




    143k22310374











    • Indeed, thanks! I’ve fixed that.
      – Stephen Kitt
      Dec 6 '17 at 7:49










    • Normally adm on Linux is only for log file access; the IT admin group would be sudo or wheel. Debian also has staff for file ownership.
      – grawity
      Dec 6 '17 at 8:45






    • 2




      @grawity the problem with sudo, wheel and staff is that they grant significant permissions (respectively, the ability to become root, the ability to run su if pam_wheel is set up, and the ability to write to /usr/local — admittedly that’s just part of being an administrator, but it might be more than the OP is after). adm can be extended to other purposes without too many side-effects (beyond granting access to log files of course).
      – Stephen Kitt
      Dec 6 '17 at 9:03

















    • Indeed, thanks! I’ve fixed that.
      – Stephen Kitt
      Dec 6 '17 at 7:49










    • Normally adm on Linux is only for log file access; the IT admin group would be sudo or wheel. Debian also has staff for file ownership.
      – grawity
      Dec 6 '17 at 8:45






    • 2




      @grawity the problem with sudo, wheel and staff is that they grant significant permissions (respectively, the ability to become root, the ability to run su if pam_wheel is set up, and the ability to write to /usr/local — admittedly that’s just part of being an administrator, but it might be more than the OP is after). adm can be extended to other purposes without too many side-effects (beyond granting access to log files of course).
      – Stephen Kitt
      Dec 6 '17 at 9:03
















    Indeed, thanks! I’ve fixed that.
    – Stephen Kitt
    Dec 6 '17 at 7:49




    Indeed, thanks! I’ve fixed that.
    – Stephen Kitt
    Dec 6 '17 at 7:49












    Normally adm on Linux is only for log file access; the IT admin group would be sudo or wheel. Debian also has staff for file ownership.
    – grawity
    Dec 6 '17 at 8:45




    Normally adm on Linux is only for log file access; the IT admin group would be sudo or wheel. Debian also has staff for file ownership.
    – grawity
    Dec 6 '17 at 8:45




    2




    2




    @grawity the problem with sudo, wheel and staff is that they grant significant permissions (respectively, the ability to become root, the ability to run su if pam_wheel is set up, and the ability to write to /usr/local — admittedly that’s just part of being an administrator, but it might be more than the OP is after). adm can be extended to other purposes without too many side-effects (beyond granting access to log files of course).
    – Stephen Kitt
    Dec 6 '17 at 9:03





    @grawity the problem with sudo, wheel and staff is that they grant significant permissions (respectively, the ability to become root, the ability to run su if pam_wheel is set up, and the ability to write to /usr/local — admittedly that’s just part of being an administrator, but it might be more than the OP is after). adm can be extended to other purposes without too many side-effects (beyond granting access to log files of course).
    – Stephen Kitt
    Dec 6 '17 at 9:03













    up vote
    0
    down vote













    If by "the administrators" you mean people who can, if needed, become root (or who just have access to some needed administrator commands as root) using sudo (and sudoers file), then don't bother using that "admin" group as the group on the user's files : root (id 0) can access almost everything.



    Use the "group" part to specifi which group (or "team") is also susceptible to get some kind of access to that user's file/dir.



    For exemple: a user (foo) is part of a team (teambar).



    For foo files, you could : chown foo:teambar teambarfile(s) and teambardirs, and then chmod 600 personnal_files ; chmod 700 personnal_dirs ; chmod 640 ~/teambarsubdirs/teambarfiles ; chmod 750 ~ ~/teambarsubdirs ~/teambardirs/executables




    • Ie, for all "team dirs" and "team files":



      • give those files full access to the owner (= foo)(rw, and also x if needed [diretories, and executables])

      • Give the appropriate access to the team (r only? rx if executable or dir?)

      • restrict access to Others (ie not foo nor members of

      • And don't worry: the admins will be able to access it if needed.


    • and for "personnal files and dirs": just foo can read/write (/exec) those files and dirs

    (don't forget that if the team files/dirs are under some hierarchy, the team needs to be able to access that hierarchy, so usually top-level dirs above needs to grant them "r & x" access too.)






    share|improve this answer


























      up vote
      0
      down vote













      If by "the administrators" you mean people who can, if needed, become root (or who just have access to some needed administrator commands as root) using sudo (and sudoers file), then don't bother using that "admin" group as the group on the user's files : root (id 0) can access almost everything.



      Use the "group" part to specifi which group (or "team") is also susceptible to get some kind of access to that user's file/dir.



      For exemple: a user (foo) is part of a team (teambar).



      For foo files, you could : chown foo:teambar teambarfile(s) and teambardirs, and then chmod 600 personnal_files ; chmod 700 personnal_dirs ; chmod 640 ~/teambarsubdirs/teambarfiles ; chmod 750 ~ ~/teambarsubdirs ~/teambardirs/executables




      • Ie, for all "team dirs" and "team files":



        • give those files full access to the owner (= foo)(rw, and also x if needed [diretories, and executables])

        • Give the appropriate access to the team (r only? rx if executable or dir?)

        • restrict access to Others (ie not foo nor members of

        • And don't worry: the admins will be able to access it if needed.


      • and for "personnal files and dirs": just foo can read/write (/exec) those files and dirs

      (don't forget that if the team files/dirs are under some hierarchy, the team needs to be able to access that hierarchy, so usually top-level dirs above needs to grant them "r & x" access too.)






      share|improve this answer
























        up vote
        0
        down vote










        up vote
        0
        down vote









        If by "the administrators" you mean people who can, if needed, become root (or who just have access to some needed administrator commands as root) using sudo (and sudoers file), then don't bother using that "admin" group as the group on the user's files : root (id 0) can access almost everything.



        Use the "group" part to specifi which group (or "team") is also susceptible to get some kind of access to that user's file/dir.



        For exemple: a user (foo) is part of a team (teambar).



        For foo files, you could : chown foo:teambar teambarfile(s) and teambardirs, and then chmod 600 personnal_files ; chmod 700 personnal_dirs ; chmod 640 ~/teambarsubdirs/teambarfiles ; chmod 750 ~ ~/teambarsubdirs ~/teambardirs/executables




        • Ie, for all "team dirs" and "team files":



          • give those files full access to the owner (= foo)(rw, and also x if needed [diretories, and executables])

          • Give the appropriate access to the team (r only? rx if executable or dir?)

          • restrict access to Others (ie not foo nor members of

          • And don't worry: the admins will be able to access it if needed.


        • and for "personnal files and dirs": just foo can read/write (/exec) those files and dirs

        (don't forget that if the team files/dirs are under some hierarchy, the team needs to be able to access that hierarchy, so usually top-level dirs above needs to grant them "r & x" access too.)






        share|improve this answer














        If by "the administrators" you mean people who can, if needed, become root (or who just have access to some needed administrator commands as root) using sudo (and sudoers file), then don't bother using that "admin" group as the group on the user's files : root (id 0) can access almost everything.



        Use the "group" part to specifi which group (or "team") is also susceptible to get some kind of access to that user's file/dir.



        For exemple: a user (foo) is part of a team (teambar).



        For foo files, you could : chown foo:teambar teambarfile(s) and teambardirs, and then chmod 600 personnal_files ; chmod 700 personnal_dirs ; chmod 640 ~/teambarsubdirs/teambarfiles ; chmod 750 ~ ~/teambarsubdirs ~/teambardirs/executables




        • Ie, for all "team dirs" and "team files":



          • give those files full access to the owner (= foo)(rw, and also x if needed [diretories, and executables])

          • Give the appropriate access to the team (r only? rx if executable or dir?)

          • restrict access to Others (ie not foo nor members of

          • And don't worry: the admins will be able to access it if needed.


        • and for "personnal files and dirs": just foo can read/write (/exec) those files and dirs

        (don't forget that if the team files/dirs are under some hierarchy, the team needs to be able to access that hierarchy, so usually top-level dirs above needs to grant them "r & x" access too.)







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Dec 6 '17 at 10:16

























        answered Dec 6 '17 at 10:09









        Olivier Dulac

        3,7751224




        3,7751224



























             

            draft saved


            draft discarded















































             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f409102%2fwhat-is-the-debian-counterpart-of-the-admin-group-and-what-group-on-debian-make%23new-answer', 'question_page');

            );

            Post as a guest













































































            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?