What do the groups do in "Users and Groups"?
I know that some define permissions on the file system (such as www-data). But I don't understand why this question was answered successfully by adding a user to the "Video" group.
So the question is mainly what do all the pre-built groups do in Ubuntu? More reasonably, since there are so many, what "special" groups exist and how or when should they be used?
Solution 1:
Some groups allow access to files or directories, for example: the www-data
allow the access to web files or the adm
group to read files in /var/log
. This is the trivial use.
But some groups allow access to certain devices. For example the dialout
group allows access to the serial ports via files in /dev
:
$ find /dev -group dialout -exec ls -ld {} \;
crw-rw---- 1 root dialout 4, 64 Jan 19 12:51 /dev/ttyS0
crw-rw---- 1 root dialout 4, 67 Jan 19 12:51 /dev/ttyS3
crw-rw---- 1 root dialout 4, 66 Jan 19 12:51 /dev/ttyS2
crw-rw---- 1 root dialout 4, 65 Jan 19 12:51 /dev/ttyS1
So if you are member of the dialout
group you can use the serial ports by reading and writing to the device file: echo "Hello world" > /dev/ttyS0
. The video
group allows access to the video hardware.
For description of each groups, read the file: /usr/share/doc/base-passwd/users-and-groups.html
EDIT about first comment:
In fact, usually you don't have to be in those groups to "access" the hardware resources, from a user point of view. The common practice is to have a daemon/server managing it, being member of the most restrictive group, then allowing you access to the daemon/server.
For your case, being member of the video
group allows direct access to the graphic hardware, not through the X server. Usually on desktop/laptop computer it is nice to have direct access to the graphic hardware (glxinfo | grep "direct rendering"
).
Side note, if you have direct rendering but you are not member of the video
group (id | grep --color video
), you were allowed hardware access by an acl of the /dev
file (find /dev/ -group video -exec getfacl {} \; | grep $USERNAME
).
Solution 2:
In general the concept of group separation relates to this:
http://en.wikipedia.org/wiki/Principle_of_least_privilege
It does seem silly to have all of those groups until you realize the alternative would be a single common level of high privilege (ex. sudo/root) which would be a security nightmare.
Most of the groups shown in your post exist so that various pieces of the OS can access common functionality with the least amount of privileges. The user shouldn't have to worry about this too much. During some administrative tasks you may need to up your privs to access some functionality and this is usually done using sudo for short one time tasks and by adding yourself to a specific group for repetitive tasks.