What is the Debian counterpart of the admin group, and what group on Debian makes files accessible to only the owner and the administrators?
Clash Royale CLAN TAG#URR8PPP
up vote
4
down vote
favorite
Debian vs Mac OS X regarding the admin
group
On Mac OS X, in order to make a file accessible to only the owner and the administrators, I set the group of the file to admin
, and set the permission mode of the file to something like 770 (rwxrwx---), 750 (rwxr-x---) or 640 (rw-r-----).
chgrp admin FILE
chmod 750 FILE
# or
chmod 770 FILE
# or
chmod 640 FILE
# or
chmod g+r,o-rwx FILE
Thus, ls -la FILE
outputs something like the following, where bob is the owner.
rwxr-x--- bob admin
However, Debian lacks the admin
group. What is the Debian counterpart of the admin
group? What group on Debian makes files accessible to only the owner and the administrators (after chmod has removed rwx from others)?
By the command id -Gn
, administrators on Mac OS X seem to belong to the admin
group, while administrators on Debian seem to belong to the sudo
group. Is the sudo
group on Debian equivalent to the admin
group on Mac OS X?
I hesitate to set the group of the file to sudo
. The command find / -group sudo
reveals that absolutely no files on Debian have the group sudo
by default. In contrast, the command find / -group admin
reveals that many files on Mac OS X have the group admin
by default. So, it seems that the sudo
group on Debian is not really equivalent to the admin
group on Mac OS X.
debian permissions osx group administration
add a comment |Â
up vote
4
down vote
favorite
Debian vs Mac OS X regarding the admin
group
On Mac OS X, in order to make a file accessible to only the owner and the administrators, I set the group of the file to admin
, and set the permission mode of the file to something like 770 (rwxrwx---), 750 (rwxr-x---) or 640 (rw-r-----).
chgrp admin FILE
chmod 750 FILE
# or
chmod 770 FILE
# or
chmod 640 FILE
# or
chmod g+r,o-rwx FILE
Thus, ls -la FILE
outputs something like the following, where bob is the owner.
rwxr-x--- bob admin
However, Debian lacks the admin
group. What is the Debian counterpart of the admin
group? What group on Debian makes files accessible to only the owner and the administrators (after chmod has removed rwx from others)?
By the command id -Gn
, administrators on Mac OS X seem to belong to the admin
group, while administrators on Debian seem to belong to the sudo
group. Is the sudo
group on Debian equivalent to the admin
group on Mac OS X?
I hesitate to set the group of the file to sudo
. The command find / -group sudo
reveals that absolutely no files on Debian have the group sudo
by default. In contrast, the command find / -group admin
reveals that many files on Mac OS X have the group admin
by default. So, it seems that the sudo
group on Debian is not really equivalent to the admin
group on Mac OS X.
debian permissions osx group administration
if by "the adminitrators" you mean the people who can "sudo" as root, then don't bother giving files a group for them: id 0 can access everything (unless a specific meta-access (or also an selinux thingy) prevents them access). Use the group for the group (for ex, the team) of the user, not for "the admins"
â Olivier Dulac
Dec 6 '17 at 10:04
What the OP is probably looking for is the closest equivalent to an UAC-controlled administrator on a windows system, or the functional copy that ubuntu integrated into their supported GUIs...
â rackandboneman
Dec 6 '17 at 14:17
add a comment |Â
up vote
4
down vote
favorite
up vote
4
down vote
favorite
Debian vs Mac OS X regarding the admin
group
On Mac OS X, in order to make a file accessible to only the owner and the administrators, I set the group of the file to admin
, and set the permission mode of the file to something like 770 (rwxrwx---), 750 (rwxr-x---) or 640 (rw-r-----).
chgrp admin FILE
chmod 750 FILE
# or
chmod 770 FILE
# or
chmod 640 FILE
# or
chmod g+r,o-rwx FILE
Thus, ls -la FILE
outputs something like the following, where bob is the owner.
rwxr-x--- bob admin
However, Debian lacks the admin
group. What is the Debian counterpart of the admin
group? What group on Debian makes files accessible to only the owner and the administrators (after chmod has removed rwx from others)?
By the command id -Gn
, administrators on Mac OS X seem to belong to the admin
group, while administrators on Debian seem to belong to the sudo
group. Is the sudo
group on Debian equivalent to the admin
group on Mac OS X?
I hesitate to set the group of the file to sudo
. The command find / -group sudo
reveals that absolutely no files on Debian have the group sudo
by default. In contrast, the command find / -group admin
reveals that many files on Mac OS X have the group admin
by default. So, it seems that the sudo
group on Debian is not really equivalent to the admin
group on Mac OS X.
debian permissions osx group administration
Debian vs Mac OS X regarding the admin
group
On Mac OS X, in order to make a file accessible to only the owner and the administrators, I set the group of the file to admin
, and set the permission mode of the file to something like 770 (rwxrwx---), 750 (rwxr-x---) or 640 (rw-r-----).
chgrp admin FILE
chmod 750 FILE
# or
chmod 770 FILE
# or
chmod 640 FILE
# or
chmod g+r,o-rwx FILE
Thus, ls -la FILE
outputs something like the following, where bob is the owner.
rwxr-x--- bob admin
However, Debian lacks the admin
group. What is the Debian counterpart of the admin
group? What group on Debian makes files accessible to only the owner and the administrators (after chmod has removed rwx from others)?
By the command id -Gn
, administrators on Mac OS X seem to belong to the admin
group, while administrators on Debian seem to belong to the sudo
group. Is the sudo
group on Debian equivalent to the admin
group on Mac OS X?
I hesitate to set the group of the file to sudo
. The command find / -group sudo
reveals that absolutely no files on Debian have the group sudo
by default. In contrast, the command find / -group admin
reveals that many files on Mac OS X have the group admin
by default. So, it seems that the sudo
group on Debian is not really equivalent to the admin
group on Mac OS X.
debian permissions osx group administration
asked Dec 6 '17 at 5:24
i7pj3qnuz
663
663
if by "the adminitrators" you mean the people who can "sudo" as root, then don't bother giving files a group for them: id 0 can access everything (unless a specific meta-access (or also an selinux thingy) prevents them access). Use the group for the group (for ex, the team) of the user, not for "the admins"
â Olivier Dulac
Dec 6 '17 at 10:04
What the OP is probably looking for is the closest equivalent to an UAC-controlled administrator on a windows system, or the functional copy that ubuntu integrated into their supported GUIs...
â rackandboneman
Dec 6 '17 at 14:17
add a comment |Â
if by "the adminitrators" you mean the people who can "sudo" as root, then don't bother giving files a group for them: id 0 can access everything (unless a specific meta-access (or also an selinux thingy) prevents them access). Use the group for the group (for ex, the team) of the user, not for "the admins"
â Olivier Dulac
Dec 6 '17 at 10:04
What the OP is probably looking for is the closest equivalent to an UAC-controlled administrator on a windows system, or the functional copy that ubuntu integrated into their supported GUIs...
â rackandboneman
Dec 6 '17 at 14:17
if by "the adminitrators" you mean the people who can "sudo" as root, then don't bother giving files a group for them: id 0 can access everything (unless a specific meta-access (or also an selinux thingy) prevents them access). Use the group for the group (for ex, the team) of the user, not for "the admins"
â Olivier Dulac
Dec 6 '17 at 10:04
if by "the adminitrators" you mean the people who can "sudo" as root, then don't bother giving files a group for them: id 0 can access everything (unless a specific meta-access (or also an selinux thingy) prevents them access). Use the group for the group (for ex, the team) of the user, not for "the admins"
â Olivier Dulac
Dec 6 '17 at 10:04
What the OP is probably looking for is the closest equivalent to an UAC-controlled administrator on a windows system, or the functional copy that ubuntu integrated into their supported GUIs...
â rackandboneman
Dec 6 '17 at 14:17
What the OP is probably looking for is the closest equivalent to an UAC-controlled administrator on a windows system, or the functional copy that ubuntu integrated into their supported GUIs...
â rackandboneman
Dec 6 '17 at 14:17
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
9
down vote
For file ownership purposes, the closest equivalent, among the groups which are created by default in Debian, is likely the adm
group.
On Linux systems, groups tend(ed) to be finer-grained: thus a sudo
group granting access to root via sudo
(but not exclusively, since users can be granted access individually), an adm
group granting access to certain log files, etc. See the Debian wiki for a list of these system groups.
You could always create your own admin
group and use it for the purpose youâÂÂre describing; you donâÂÂt have to limit yourself to the system groups.
Indeed, thanks! IâÂÂve fixed that.
â Stephen Kitt
Dec 6 '17 at 7:49
Normallyadm
on Linux is only for log file access; the IT admin group would besudo
orwheel
. Debian also hasstaff
for file ownership.
â grawity
Dec 6 '17 at 8:45
2
@grawity the problem withsudo
,wheel
andstaff
is that they grant significant permissions (respectively, the ability to become root, the ability to runsu
ifpam_wheel
is set up, and the ability to write to/usr/local
â admittedly thatâÂÂs just part of being an administrator, but it might be more than the OP is after).adm
can be extended to other purposes without too many side-effects (beyond granting access to log files of course).
â Stephen Kitt
Dec 6 '17 at 9:03
add a comment |Â
up vote
0
down vote
If by "the administrators" you mean people who can, if needed, become root (or who just have access to some needed administrator commands as root) using sudo (and sudoers file), then don't bother using that "admin" group as the group on the user's files : root (id 0) can access almost everything.
Use the "group" part to specifi which group (or "team") is also susceptible to get some kind of access to that user's file/dir.
For exemple: a user (foo) is part of a team (teambar).
For foo files, you could : chown foo:teambar teambarfile(s) and teambardirs
, and then chmod 600 personnal_files ; chmod 700 personnal_dirs ; chmod 640 ~/teambarsubdirs/teambarfiles ; chmod 750 ~ ~/teambarsubdirs ~/teambardirs/executables
Ie, for all "team dirs" and "team files":
- give those files full access to the owner (= foo)(rw, and also x if needed [diretories, and executables])
- Give the appropriate access to the team (r only? rx if executable or dir?)
- restrict access to Others (ie not foo nor members of
- And don't worry: the admins will be able to access it if needed.
- and for "personnal files and dirs": just foo can read/write (/exec) those files and dirs
(don't forget that if the team files/dirs are under some hierarchy, the team needs to be able to access that hierarchy, so usually top-level dirs above needs to grant them "r & x" access too.)
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
9
down vote
For file ownership purposes, the closest equivalent, among the groups which are created by default in Debian, is likely the adm
group.
On Linux systems, groups tend(ed) to be finer-grained: thus a sudo
group granting access to root via sudo
(but not exclusively, since users can be granted access individually), an adm
group granting access to certain log files, etc. See the Debian wiki for a list of these system groups.
You could always create your own admin
group and use it for the purpose youâÂÂre describing; you donâÂÂt have to limit yourself to the system groups.
Indeed, thanks! IâÂÂve fixed that.
â Stephen Kitt
Dec 6 '17 at 7:49
Normallyadm
on Linux is only for log file access; the IT admin group would besudo
orwheel
. Debian also hasstaff
for file ownership.
â grawity
Dec 6 '17 at 8:45
2
@grawity the problem withsudo
,wheel
andstaff
is that they grant significant permissions (respectively, the ability to become root, the ability to runsu
ifpam_wheel
is set up, and the ability to write to/usr/local
â admittedly thatâÂÂs just part of being an administrator, but it might be more than the OP is after).adm
can be extended to other purposes without too many side-effects (beyond granting access to log files of course).
â Stephen Kitt
Dec 6 '17 at 9:03
add a comment |Â
up vote
9
down vote
For file ownership purposes, the closest equivalent, among the groups which are created by default in Debian, is likely the adm
group.
On Linux systems, groups tend(ed) to be finer-grained: thus a sudo
group granting access to root via sudo
(but not exclusively, since users can be granted access individually), an adm
group granting access to certain log files, etc. See the Debian wiki for a list of these system groups.
You could always create your own admin
group and use it for the purpose youâÂÂre describing; you donâÂÂt have to limit yourself to the system groups.
Indeed, thanks! IâÂÂve fixed that.
â Stephen Kitt
Dec 6 '17 at 7:49
Normallyadm
on Linux is only for log file access; the IT admin group would besudo
orwheel
. Debian also hasstaff
for file ownership.
â grawity
Dec 6 '17 at 8:45
2
@grawity the problem withsudo
,wheel
andstaff
is that they grant significant permissions (respectively, the ability to become root, the ability to runsu
ifpam_wheel
is set up, and the ability to write to/usr/local
â admittedly thatâÂÂs just part of being an administrator, but it might be more than the OP is after).adm
can be extended to other purposes without too many side-effects (beyond granting access to log files of course).
â Stephen Kitt
Dec 6 '17 at 9:03
add a comment |Â
up vote
9
down vote
up vote
9
down vote
For file ownership purposes, the closest equivalent, among the groups which are created by default in Debian, is likely the adm
group.
On Linux systems, groups tend(ed) to be finer-grained: thus a sudo
group granting access to root via sudo
(but not exclusively, since users can be granted access individually), an adm
group granting access to certain log files, etc. See the Debian wiki for a list of these system groups.
You could always create your own admin
group and use it for the purpose youâÂÂre describing; you donâÂÂt have to limit yourself to the system groups.
For file ownership purposes, the closest equivalent, among the groups which are created by default in Debian, is likely the adm
group.
On Linux systems, groups tend(ed) to be finer-grained: thus a sudo
group granting access to root via sudo
(but not exclusively, since users can be granted access individually), an adm
group granting access to certain log files, etc. See the Debian wiki for a list of these system groups.
You could always create your own admin
group and use it for the purpose youâÂÂre describing; you donâÂÂt have to limit yourself to the system groups.
edited Dec 6 '17 at 9:07
answered Dec 6 '17 at 5:44
Stephen Kitt
143k22310374
143k22310374
Indeed, thanks! IâÂÂve fixed that.
â Stephen Kitt
Dec 6 '17 at 7:49
Normallyadm
on Linux is only for log file access; the IT admin group would besudo
orwheel
. Debian also hasstaff
for file ownership.
â grawity
Dec 6 '17 at 8:45
2
@grawity the problem withsudo
,wheel
andstaff
is that they grant significant permissions (respectively, the ability to become root, the ability to runsu
ifpam_wheel
is set up, and the ability to write to/usr/local
â admittedly thatâÂÂs just part of being an administrator, but it might be more than the OP is after).adm
can be extended to other purposes without too many side-effects (beyond granting access to log files of course).
â Stephen Kitt
Dec 6 '17 at 9:03
add a comment |Â
Indeed, thanks! IâÂÂve fixed that.
â Stephen Kitt
Dec 6 '17 at 7:49
Normallyadm
on Linux is only for log file access; the IT admin group would besudo
orwheel
. Debian also hasstaff
for file ownership.
â grawity
Dec 6 '17 at 8:45
2
@grawity the problem withsudo
,wheel
andstaff
is that they grant significant permissions (respectively, the ability to become root, the ability to runsu
ifpam_wheel
is set up, and the ability to write to/usr/local
â admittedly thatâÂÂs just part of being an administrator, but it might be more than the OP is after).adm
can be extended to other purposes without too many side-effects (beyond granting access to log files of course).
â Stephen Kitt
Dec 6 '17 at 9:03
Indeed, thanks! IâÂÂve fixed that.
â Stephen Kitt
Dec 6 '17 at 7:49
Indeed, thanks! IâÂÂve fixed that.
â Stephen Kitt
Dec 6 '17 at 7:49
Normally
adm
on Linux is only for log file access; the IT admin group would be sudo
or wheel
. Debian also has staff
for file ownership.â grawity
Dec 6 '17 at 8:45
Normally
adm
on Linux is only for log file access; the IT admin group would be sudo
or wheel
. Debian also has staff
for file ownership.â grawity
Dec 6 '17 at 8:45
2
2
@grawity the problem with
sudo
, wheel
and staff
is that they grant significant permissions (respectively, the ability to become root, the ability to run su
if pam_wheel
is set up, and the ability to write to /usr/local
â admittedly thatâÂÂs just part of being an administrator, but it might be more than the OP is after). adm
can be extended to other purposes without too many side-effects (beyond granting access to log files of course).â Stephen Kitt
Dec 6 '17 at 9:03
@grawity the problem with
sudo
, wheel
and staff
is that they grant significant permissions (respectively, the ability to become root, the ability to run su
if pam_wheel
is set up, and the ability to write to /usr/local
â admittedly thatâÂÂs just part of being an administrator, but it might be more than the OP is after). adm
can be extended to other purposes without too many side-effects (beyond granting access to log files of course).â Stephen Kitt
Dec 6 '17 at 9:03
add a comment |Â
up vote
0
down vote
If by "the administrators" you mean people who can, if needed, become root (or who just have access to some needed administrator commands as root) using sudo (and sudoers file), then don't bother using that "admin" group as the group on the user's files : root (id 0) can access almost everything.
Use the "group" part to specifi which group (or "team") is also susceptible to get some kind of access to that user's file/dir.
For exemple: a user (foo) is part of a team (teambar).
For foo files, you could : chown foo:teambar teambarfile(s) and teambardirs
, and then chmod 600 personnal_files ; chmod 700 personnal_dirs ; chmod 640 ~/teambarsubdirs/teambarfiles ; chmod 750 ~ ~/teambarsubdirs ~/teambardirs/executables
Ie, for all "team dirs" and "team files":
- give those files full access to the owner (= foo)(rw, and also x if needed [diretories, and executables])
- Give the appropriate access to the team (r only? rx if executable or dir?)
- restrict access to Others (ie not foo nor members of
- And don't worry: the admins will be able to access it if needed.
- and for "personnal files and dirs": just foo can read/write (/exec) those files and dirs
(don't forget that if the team files/dirs are under some hierarchy, the team needs to be able to access that hierarchy, so usually top-level dirs above needs to grant them "r & x" access too.)
add a comment |Â
up vote
0
down vote
If by "the administrators" you mean people who can, if needed, become root (or who just have access to some needed administrator commands as root) using sudo (and sudoers file), then don't bother using that "admin" group as the group on the user's files : root (id 0) can access almost everything.
Use the "group" part to specifi which group (or "team") is also susceptible to get some kind of access to that user's file/dir.
For exemple: a user (foo) is part of a team (teambar).
For foo files, you could : chown foo:teambar teambarfile(s) and teambardirs
, and then chmod 600 personnal_files ; chmod 700 personnal_dirs ; chmod 640 ~/teambarsubdirs/teambarfiles ; chmod 750 ~ ~/teambarsubdirs ~/teambardirs/executables
Ie, for all "team dirs" and "team files":
- give those files full access to the owner (= foo)(rw, and also x if needed [diretories, and executables])
- Give the appropriate access to the team (r only? rx if executable or dir?)
- restrict access to Others (ie not foo nor members of
- And don't worry: the admins will be able to access it if needed.
- and for "personnal files and dirs": just foo can read/write (/exec) those files and dirs
(don't forget that if the team files/dirs are under some hierarchy, the team needs to be able to access that hierarchy, so usually top-level dirs above needs to grant them "r & x" access too.)
add a comment |Â
up vote
0
down vote
up vote
0
down vote
If by "the administrators" you mean people who can, if needed, become root (or who just have access to some needed administrator commands as root) using sudo (and sudoers file), then don't bother using that "admin" group as the group on the user's files : root (id 0) can access almost everything.
Use the "group" part to specifi which group (or "team") is also susceptible to get some kind of access to that user's file/dir.
For exemple: a user (foo) is part of a team (teambar).
For foo files, you could : chown foo:teambar teambarfile(s) and teambardirs
, and then chmod 600 personnal_files ; chmod 700 personnal_dirs ; chmod 640 ~/teambarsubdirs/teambarfiles ; chmod 750 ~ ~/teambarsubdirs ~/teambardirs/executables
Ie, for all "team dirs" and "team files":
- give those files full access to the owner (= foo)(rw, and also x if needed [diretories, and executables])
- Give the appropriate access to the team (r only? rx if executable or dir?)
- restrict access to Others (ie not foo nor members of
- And don't worry: the admins will be able to access it if needed.
- and for "personnal files and dirs": just foo can read/write (/exec) those files and dirs
(don't forget that if the team files/dirs are under some hierarchy, the team needs to be able to access that hierarchy, so usually top-level dirs above needs to grant them "r & x" access too.)
If by "the administrators" you mean people who can, if needed, become root (or who just have access to some needed administrator commands as root) using sudo (and sudoers file), then don't bother using that "admin" group as the group on the user's files : root (id 0) can access almost everything.
Use the "group" part to specifi which group (or "team") is also susceptible to get some kind of access to that user's file/dir.
For exemple: a user (foo) is part of a team (teambar).
For foo files, you could : chown foo:teambar teambarfile(s) and teambardirs
, and then chmod 600 personnal_files ; chmod 700 personnal_dirs ; chmod 640 ~/teambarsubdirs/teambarfiles ; chmod 750 ~ ~/teambarsubdirs ~/teambardirs/executables
Ie, for all "team dirs" and "team files":
- give those files full access to the owner (= foo)(rw, and also x if needed [diretories, and executables])
- Give the appropriate access to the team (r only? rx if executable or dir?)
- restrict access to Others (ie not foo nor members of
- And don't worry: the admins will be able to access it if needed.
- and for "personnal files and dirs": just foo can read/write (/exec) those files and dirs
(don't forget that if the team files/dirs are under some hierarchy, the team needs to be able to access that hierarchy, so usually top-level dirs above needs to grant them "r & x" access too.)
edited Dec 6 '17 at 10:16
answered Dec 6 '17 at 10:09
Olivier Dulac
3,7751224
3,7751224
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f409102%2fwhat-is-the-debian-counterpart-of-the-admin-group-and-what-group-on-debian-make%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
if by "the adminitrators" you mean the people who can "sudo" as root, then don't bother giving files a group for them: id 0 can access everything (unless a specific meta-access (or also an selinux thingy) prevents them access). Use the group for the group (for ex, the team) of the user, not for "the admins"
â Olivier Dulac
Dec 6 '17 at 10:04
What the OP is probably looking for is the closest equivalent to an UAC-controlled administrator on a windows system, or the functional copy that ubuntu integrated into their supported GUIs...
â rackandboneman
Dec 6 '17 at 14:17