Ubuntu's default groups

292 views
Skip to first unread message

Aaron Toponce

unread,
Dec 3, 2009, 4:06:45 PM12/3/09
to oa...@googlegroups.com, ubuntu...@lists.ubuntu.com
[This is cross-posted to both OALUG and Ubuntu Utah]

So, I've noticed this since day one it seems, and I'm finally curious
enough about the behavior to ask on this list.

Why does Ubuntu put the default user into so many friggin' user groups?
Seriously! Try removing yourself from the CDROM group, and see what
happens when you put in a CD. What gives?

This isn't from upstream Debian, and it's not common behavior on any
other operating system that I'm aware of. Is this an extension of
PolicyKit or PAM or something. Why does the user need to be a part of
the 'scanner' group, even when I don't have a scanner installed? Really,
it seems Ubuntu is complicating everything that used to be so simple
about Unix, because they're trying so hard to be like Windows.

--
. O . O . O . . O O . . . O .
. . O . O O O . O . O O . . O
O O O . O . . O O O O . O O O

signature.asc

Aaron Toponce

unread,
Dec 3, 2009, 5:17:10 PM12/3/09
to Ubuntu Utah Local Community Team, oa...@googlegroups.com
Mike Basinger wrote:
> That is kinda harsh.

It wasn't meant to be harsh. I'm upset that when I get on an Ubuntu
machine, it feels less and less like a Unix machine. I'm getting to the
point where I need a separate set of training to understand the changes
Ubuntu is making their operating system, where these changes don't exist
anywhere else, especially upstream. Ultimately, it's their decision, and
I respect that. Canonical and the Ubuntu development team can do
anything they wish with their OS. After all, it _is_ an operating system.

> We have to "complicate" a base Linux setup in
> Ubuntu to make it work on the widest varitety of hardware setups . You
> made not have a scanner, but we want Ubuntu to work seamlessly if
> someone plugs in in a scanner.

I understand that, but working with the largest set of hardware just
requires drivers to power the hardware, nothing more. This is why Ubuntu
is so successful. They'll ship proprietary drivers and blobs, where
others won't. Wireless, video, sound, and many other cards work in
Ubuntu and not Fedora or Debian, because of these drivers.

Where Ubuntu is doing their own thing, and ultimately complicating the
setup, is the configuration file changes, that aren't necessary.

> It is the question, do we want Linux to be a hobbyist OS or do we want
> to complete for market share someplace other than servers.

I'm all for competing, but complicating the setup doesn't seem like the
right set of moves to be making.

For example, on this groups issue I brought up. Say the user wants to
add himself to some group, for whatever purpose. He searches the
Internet a bit, and finds from some random user:

$ sudo usermod -G group_name user

After doing so, he later finds he lost all the groups he was just
previously a member of! How does he fix it? How does he know what groups
he was in? Of course, this would be a problem for any number of groups
that he was in, but now that _lots_ of stuff doesn't work, like his
scanner or cdrom, because he lost those groups, means a painful
experience of getting everything back in order. Had he been in one or
two additional groups, this wouldn't be so bad.

I guess I'm asking this: what is the technical reason for putting the
default user into several groups, when it provides no apparent technical
advantages, and could mean a nightmare of a challenge should he lose
being a member of a group? Why is this implemented?

signature.asc

Seth House

unread,
Dec 3, 2009, 5:32:36 PM12/3/09
to Ogden Area Linux Users Group
On Dec 3, 2:06 pm, Aaron Toponce <aaron.topo...@gmail.com> wrote:
> Why does Ubuntu put the default user into so many friggin' user groups?
> Seriously! Try removing yourself from the CDROM group, and see what
> happens when you put in a CD. What gives?

Wow, I hadn't noticed that before. I just checked a fresh, minimal
Ubuntu server install and I'm in thirteen groups by default. (Two of
those groups, fuse and admin, are intentional.)

In regards to the CDROM group, similarly both Arch and Slackware
default with optical, audio, video, and power groups. I'm pretty sure
it is for hal and/or PolicyKit (or so the Arch wiki indicates). That
said, I've got a minimal Slack server running without hal or PolicyKit
installed and I'm still in those groups.

Aaron Toponce

unread,
Dec 3, 2009, 6:26:36 PM12/3/09
to Ubuntu Utah Local Community Team, oa...@googlegroups.com
Christer Edwards wrote:
> If the users are put into the widest range of groups to begin with
> there shouldn't be any reason why they'd be running usermod -G and
> screwing things up. Also, group membership is important for access to
> the hardware. On my Arch machine I forgot to put myself into the audio
> and optical group and couldn't use my CD drive or listen to audio.

This is odd to me. Why should you be a member of your group to access
hardware? Isn't that the kernel's responsibility? On my Debian machine:

uid=1000(aaron) gid=1000(aaron) groups=119(fuse),1000(aaron)

I'm in the fuse group, so I can mount fuse filesystems locally to one of
my directories without root privileges. However, I can still access
audio cds, play music, access my attached printer, watch videos, mount
thumb drives, and everything else just fine. I'm failing to see the
advantage adding myself to 13 groups provides.

Now, maybe this is standard, tacking on 13 groups to the default user.
However, here's Solaris:

uid=1001(aaron) gid=1(other)

... and HP-UX:

uid=106(aaron) gid=20(users)

... and RHEL:

uid=503(aaron) gid=503(aaron) groups=503(aaron)

However, pulling up Mac OS X is completely different:

uid=502(aaron) gid=20(staff)
groups=20(staff),402(com.apple.sharepoint.group.1),204(_developer),100(_lpoperator),98(_lpadmin),81(_appserveradm),80(admin),79(_appserverusr),61(localaccounts),12(everyone),403(com.apple.sharepoint.group.2),401(com.apple.access_screensharing)

Really odd group accounts too, but whatever. Not sure how much is
actually necessary, like "com.apple.sharepoint.group.1". So, maybe
Ubuntu is trying to mimic Mac OS X? I'm still failing to see the
advantages though.

> If you want stuff to "just work" and not require any manual
> configuration, use Ubuntu. If you want a stripped, strict
> UNIX-standard system maybe Ubuntu isn't the right answer for your
> system.

I'm not looking for any answer to my needs. I've already found it, and
Ubuntu fits in that picture. What I'm asking is why the change/need,
when I can easily do everything on Debian, being in 2 groups, that takes
13 to do on Ubuntu.

Consider for a moment Fedora moving X11 from tty7 to tty1. It was a
change that brought no apparent advantage, and broke tons, and tons of
documentation. The developers were just tired of it on tty7, and thought
it was time for a change.

If a change warrants a strong technical advantage, or clearly brings
about great benefits, then by all means make the change, but what does
moving X11 from tty7 to tty1 or putting a user in 13 default groups do
for the system? I'm not griping as much as I really want to know.

signature.asc

Stuart Jansen

unread,
Dec 3, 2009, 7:02:37 PM12/3/09
to oa...@googlegroups.com
On Thu, 2009-12-03 at 16:26 -0700, Aaron Toponce wrote:
> This is odd to me. Why should you be a member of your group to access
> hardware? Isn't that the kernel's responsibility? On my Debian machine:

Are you forgetting about pam_console and friends? Setting permissions on
devices is an important part of letting the kernel do its job.

> Consider for a moment Fedora moving X11 from tty7 to tty1. It was a
> change that brought no apparent advantage, and broke tons, and tons of
> documentation. The developers were just tired of it on tty7, and thought
> it was time for a change.

The stated reason for the change was not boredom, it was "to avoid
flicker". I think that's baloney, but it still kills your example.

> If a change warrants a strong technical advantage, or clearly brings
> about great benefits, then by all means make the change, but what does
> moving X11 from tty7 to tty1 or putting a user in 13 default groups do
> for the system? I'm not griping as much as I really want to know.

Maybe I want to be able to use my cdrom, scanner and soundcard but I
don't want little Bobby using anything other than the soundcard.
Ubuntu's method allows me to easily enforce that. (Although I think
configuring pam_console is a better solution.)

--
"XML is like violence: if it doesn't solve your problem, you aren't
using enough of it." - Chris Maden

Jonathan Karras

unread,
Dec 3, 2009, 8:58:26 PM12/3/09
to oalug
While checking groups you should compare /dev/ permissions. Maybe the
audio/cdrom devices are part of the users group on those other
distros.

Jonathan

Aaron Toponce

unread,
Dec 3, 2009, 11:12:11 PM12/3/09
to oa...@googlegroups.com, Ubuntu Utah Local Community Team
Stuart Jansen wrote:
Are you forgetting about pam_console and friends? Setting permissions on
devices is an important part of letting the kernel do its job.
  

How is what Ubuntu different from Debian or Fedora? I'm referring to permission modes on hardware.


Consider for a moment Fedora moving X11 from tty7 to tty1. It was a
change that brought no apparent advantage, and broke tons, and tons of
documentation. The developers were just tired of it on tty7, and thought
it was time for a change.
    
The stated reason for the change was not boredom, it was "to avoid
flicker". I think that's baloney, but it still kills your example.
  

Then why not move /dev/console to tty7?


Maybe I want to be able to use my cdrom, scanner and soundcard but I
don't want little Bobby using anything other than the soundcard.
Ubuntu's method allows me to easily enforce that. (Although I think
configuring pam_console is a better solution.)
  

I guess I'll have to take a closer look at pam_console. This makes a little sense, I guess.
signature.asc

Leif Andersen

unread,
Dec 3, 2009, 11:28:56 PM12/3/09
to Ubuntu Utah Local Community Team, oalug
Hmm...interesting, so am I really the only person that thinks having a 'scanner group' is really not intuitive in the least?

~Leif
----------
Did you like this rant?  You can find more at:
http://www.leifandersen.net


On Thu, Dec 3, 2009 at 21:23, Will Smith <underta...@gmail.com> wrote:
On Thu, Dec 3, 2009 at 4:26 PM, Aaron Toponce <aaron....@gmail.com> wrote:
This is odd to me. Why should you be a member of your group to access
hardware? Isn't that the kernel's responsibility? On my Debian machine:

uid=1000(aaron) gid=1000(aaron) groups=119(fuse),1000(aaron)

I'm in the fuse group, so I can mount fuse filesystems locally to one of
my directories without root privileges. However, I can still access
audio cds, play music, access my attached printer, watch videos, mount
thumb drives, and everything else just fine. I'm failing to see the
advantage adding myself to 13 groups provides.

Now, maybe this is standard, tacking on 13 groups to the default user.
However, here's Solaris:

uid=1001(aaron) gid=1(other)

... and HP-UX:

uid=106(aaron) gid=20(users)

... and RHEL:

uid=503(aaron) gid=503(aaron) groups=503(aaron)

<snip>
 
By way of comparison though, when I used Fedora and installed my scanner stuff I had to add myself to the scanner group in order to use the scanner. So you need to do it later even on these other systems.

Will--

--
ubuntu-us-ut mailing list
ubuntu...@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-ut


brandon

unread,
Dec 3, 2009, 11:46:53 PM12/3/09
to oa...@googlegroups.com
I think it has nothing to do with intuition, and everything to do with using groups as DAC ACLs.  I have never actually seen it in action, but I suspect they are just using groups... as groups.  The whole DAC model in action.

Ideally, you never actually have to deal with it because the software wraps it all, but it gives you the ability to have the granular control if you need to use it on a many-user system.

Or do you think we never will need more than 640k ram?

-B

Leif Andersen wrote:

Leif Andersen

unread,
Dec 4, 2009, 12:08:50 AM12/4/09
to oalug
Hm...  Actually, I'm beginning to think that I am, lol.  I just had a 20 min. argument with my father, and apperently he thinks groups are a really grate way of organising who has access to what hardware.  I guess I'm just too young to really understand the thinking behind the original designers.


~Leif
----------
Did you like this rant?  You can find more at:
http://www.leifandersen.net


Stuart Jansen

unread,
Dec 4, 2009, 8:38:20 AM12/4/09
to oa...@googlegroups.com
On Thu, 2009-12-03 at 22:08 -0700, Leif Andersen wrote:
> Hm... Actually, I'm beginning to think that I am, lol. I just had a
> 20 min. argument with my father, and apperently he thinks groups are a
> really grate way of organising who has access to what hardware. I
> guess I'm just too young to really understand the thinking behind the
> original designers.

No, it isn't great. It implies constant access to the hardware. Red Hat
using pam_console and SUSE using pam_(mumble) can have more fine grained
access control. For example, RH configures pam_console so that only
local logins get access to the sound card, whereas remote logins don't.
In other words, no need to worry about some joker SSH-ing into all the
Comp Sci lab computers and making then fart.

Groups is a veyr Unix-y solution, but it's kinda old fashioned and far
from optimal.

Joshua Gardner

unread,
Dec 4, 2009, 9:20:14 AM12/4/09
to oa...@googlegroups.com
Well, look at that. First it was "Ubuntu uses too many groups and is
trying to be too much like Windows and not UNIX-like enough." Now it's
come full circle and Ubuntu is being too UNIX-y using groups instead
of pam.

lol

-Josh
> --
> Site: http://www.oalug.com
> Mailing list: http://groups.google.com/group/oalug
> IRC: #oalug on irc.freenode.net



--
Society loses the value of things which are uselessly destroyed.
--Frederick Bastiat

GCS/B/M d+ s+ a--- C++ UL++ Py+++ L+++ E- W++ w-- M- PS+++ PE+++ Y+>++
PGP+ t+ R tv- b+ DI++ G e h! r! y-

Christian Horne

unread,
Dec 4, 2009, 10:48:53 AM12/4/09
to oa...@googlegroups.com
i have been messing around with the internals of ubuntu lately, and
i'm liking it more and more as i learn how it works. it's designed to
be easily scalable, for instance you could make your desktop machine
into a shell server JUST by installing ssh, it's designed so that it
is already ready for use as a shell server. or if you want a web
server, then just install httpd and then ~/public is each user's
personal subdirectory on the webserver. of course other distros do it
too just ubuntu seems to take it to the next level - but they don't
tell anybody they're doing it and so everybody calls what they're
doing too much complexity.
the blendmaster
Reply all
Reply to author
Forward
0 new messages