Group Directories; Shadow Passwords - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual

Chapter 33. Users and Groups

33.5.1. Group Directories

Many IT organizations like to create a group for each major project and then assign people to the
group if they need to access that project's files. Using this traditional scheme, managing files has been
difficult; when someone creates a file, it is associated with the primary group to which they belong.
When a single person works on multiple projects, it is difficult to associate the right files with the right
group. Using the UPG scheme, however, groups are automatically assigned to files created within a
directory with the setgid bit set. The setgid bit makes managing group projects that share a common
directory very simple because any files a user creates within the directory are owned by the group
which owns the directory.
Let us say, for example, that a group of people need to work on files in the /usr/share/emacs/
site-lisp/ directory. Some people are trusted to modify the directory, but certainly not everyone is
trusted. First create an emacs group, as in the following command:
/usr/sbin/groupadd emacs
To associate the contents of the directory with the emacs group, type:
chown -R root.emacs /usr/share/emacs/site-lisp
Now, it is possible to add the proper users to the group with the gpasswd command:
/usr/bin/gpasswd -a <username> emacs
To allow users to create files within the directory, use the following command:
chmod 775 /usr/share/emacs/site-lisp
When a user creates a new file, it is assigned the group of the user's default private group. Next, set
the setgid bit, which assigns everything created in the directory the same group permission as the
directory itself (emacs). Use the following command:
chmod 2775 /usr/share/emacs/site-lisp
At this point, because the default umask of each user is 002, all members of the emacs group can
create and edit files in the /usr/share/emacs/site-lisp/ directory without the administrator
having to change file permissions every time users write new files.

33.6. Shadow Passwords

In multiuser environments it is very important to use shadow passwords (provided by the shadow-
utils package). Doing so enhances the security of system authentication files. For this reason, the
installation program enables shadow passwords by default.
The following lists the advantages pf shadow passwords have over the traditional way of storing
passwords on UNIX-based systems:
488