On 27 Jan 2003, rahul revo wrote:
there are two types of users/groups. system users and normal users. system groups include groups like apache, mail, etc nd other app and system groups. there are users like root who are members of more system groups as well. what is the use of these system groups?
these groups depend on the specific application using them. for example, the group apache (and user apache) are the user/group that the apache web server - and all CGI scripts running under it - run as. The purpose for this is that you can set restrictve permissions for this user/group and anything that happens through the webserver will have only those permissions.
Since apache needs to bind to port 80, it will have to be started by root. If apache keeps running as root, then any CGI program - which may be insecure - will also run as root. To protect against this, apache runs setuid/setgid apache (in some systems it may be www or nobody).
Same is the case for sendmail.
There are other groups that give the members of that group special priviledges. For example, members of the wheel group can do special administrative tasks without having to become root (you have to configure a pam module to enable this). On some systems the disk drives are owned by group disk, so only members of group disk can read/write from raw disks (not mounted file systems). If you want to play a CD/VCD, you'll have to be a member of disk.
Special groups are those that have gid < 100 (or 500, I forget which).
can i create a normal user as a member of one of these system groups? say apache.
yes, although adding someone to the apache group won't have much use. The apache config files are owned by root so that the web server cannot write to them.
if i can what additional functionality will that user get. will that user get full access to all apache files? including changing the config etc?
See above. For apache/sendmail - no additional priviledges. For group wheel, and disk and some others, yes, additional priviledges.
HTH.
Philip