mjhjmtu

Debian vs Mac OS X regarding the admin group

On Mac OS X, in order to make a file accessible to only the owner and the administrators, I set the group of the file to admin, and set the permission mode of the file to something like 770 (rwxrwx---), 750 (rwxr-x---) or 640 (rw-r-----).

chgrp admin FILE

chmod 750 FILE
# or
chmod 770 FILE
# or
chmod 640 FILE
# or
chmod g+r,o-rwx FILE

Thus, ls -la FILE outputs something like the following, where bob is the owner.

rwxr-x--- bob admin

However, Debian lacks the admin group. What is the Debian counterpart of the admin group? What group on Debian makes files accessible to only the owner and the administrators (after chmod has removed rwx from others)?

By the command id -Gn, administrators on Mac OS X seem to belong to the admin group, while administrators on Debian seem to belong to the sudo group. Is the sudo group on Debian equivalent to the admin group on Mac OS X?

I hesitate to set the group of the file to sudo. The command find / -group sudo reveals that absolutely no files on Debian have the group sudo by default. In contrast, the command find / -group admin reveals that many files on Mac OS X have the group admin by default. So, it seems that the sudo group on Debian is not really equivalent to the admin group on Mac OS X.

For file ownership purposes, the closest equivalent, among the groups which are created by default in Debian, is likely the adm group.

On Linux systems, groups tend(ed) to be finer-grained: thus a sudo group granting access to root via sudo (but not exclusively, since users can be granted access individually), an adm group granting access to certain log files, etc. See the Debian wiki for a list of these system groups.

You could always create your own admin group and use it for the purpose you’re describing; you don’t have to limit yourself to the system groups.

If by "the administrators" you mean people who can, if needed, become root (or who just have access to some needed administrator commands as root) using sudo (and sudoers file), then don't bother using that "admin" group as the group on the user's files : root (id 0) can access almost everything.

Use the "group" part to specifi which group (or "team") is also susceptible to get some kind of access to that user's file/dir.

For exemple: a user (foo) is part of a team (teambar).

For foo files, you could : chown foo:teambar teambarfile(s) and teambardirs, and then chmod 600 personnal_files ; chmod 700 personnal_dirs ; chmod 640 ~/teambarsubdirs/teambarfiles ; chmod 750 ~ ~/teambarsubdirs ~/teambardirs/executables

• 
  

  Ie, for all "team dirs" and "team files":

  
  
  
  • give those files full access to the owner (= foo)(rw, and also x if needed [diretories, and executables])
  
  
  • Give the appropriate access to the team (r only? rx if executable or dir?)
  
  
  • restrict access to Others (ie not foo nor members of
  
  
  • And don't worry: the admins will be able to access it if needed.
  
  


• and for "personnal files and dirs": just foo can read/write (/exec) those files and dirs

(don't forget that if the team files/dirs are under some hierarchy, the team needs to be able to access that hierarchy, so usually top-level dirs above needs to grant them "r & x" access too.)