LAB-USER-04 - Group Dynamics & File Modes

Part A: The Field Guide

---

🎯 What & Why

You have 5 developers working on a website located in /var/www/html.

If the files are owned exclusively by alice, the other 4 developers get “Permission Denied” when they try to edit them. If you make the files readable/writable by everyone (the whole world), you create a massive security vulnerability.

The solution is the middle tier of Linux permissions: The Group.

Groups are buckets. You throw users into a bucket (e.g., webdevs). You then hand ownership of the /var/www/html folder to the webdevs bucket. Suddenly, all 5 developers have access, but the rest of the server is locked out. Groups are the cornerstone of collaboration on a shared server.

---

🧠 Mental Model: The Club House

Think of a Group as an exclusive Club House.

1. The Registry (/etc/group): A list of all clubs and who is currently a member.
2. Primary Group: When Dave creates a new file, it is automatically stamped with his Primary Group (usually dave).
3. Secondary Groups: Dave can be a member of the “Admins” club, the “DevOps” club, and the “Docker” club. He can use their clubhouses, but he doesn’t default to them.

The Golden Law of Group Updates: When you add a user to a group, the change doesn’t happen instantly in their brain. The kernel checks group membership at the exact moment a user logs in. If you add Dave to the docker group while he is logged in, he will get “Permission Denied” when trying to run Docker. He must log out and log back in for the new group badge to be issued.

---

📖 Key Concepts & Files

/etc/group (The Club List)

Similar to /etc/passwd. It translates Group Names to Group IDs (GIDs).

A typical line looks like this: docker:x:115:dave,alice

1. docker: The name of the group.
2. x: Password placeholder (rarely used).
3. 115: The unique GID.
4. dave,alice: A comma-separated list of secondary members.

---

📖 Command Reference

groups (Check Membership)

A quick way to list all the clubs a user belongs to.

groupadd & groupdel (Create/Destroy Clubs)

Exactly like useradd, but for groups.

usermod -aG (Adding Users to Clubs)

We saw this in Lab 2. -G specifies the group(s), and -a (Append) is absolutely critical.

gpasswd (Removing Users from Clubs)

While usermod manages the user side, gpasswd manages the group side. It’s the cleanest way to kick someone out of a group.

---

🌍 Real Scenarios

Scenario 1: Granting Docker Access By default, the Docker daemon runs as root. If a normal user types docker ps, they get a “permission denied” socket error. The official solution is to simply add them to the docker group (sudo usermod -aG docker charlie). When Charlie logs back in, he has full Docker access without needing sudo.

Scenario 2: The Shared Project Folder You have /var/projects/alpha. You create a group: groupadd team_alpha. You add users: usermod -aG team_alpha bob, usermod -aG team_alpha alice. You change the group ownership of the directory (we will cover the chown command deeply in the Permissions labs, but it looks like this): sudo chown root:team_alpha /var/projects/alpha. Now team_alpha controls the folder.

---

⚠️ Gotchas & Pitfalls

1. The Active Session Illusion — 90% of group-related support tickets are variations of: “I ran usermod -aG sudo dave, but Dave still can’t use sudo!” Remember the Golden Law: Dave must exit his shell and reconnect. His current session still uses his old ID badge. (Alternatively, Dave can type newgrp sudo to temporarily reload his badge without logging out, but logging out is more foolproof).
2. Duplicate Names — If you run useradd dave, Linux automatically runs groupadd dave quietly in the background. It is normal and expected to have matching user and group names.

---

Part B: The Drill Deck

Terminal Required: Open your Linux terminal for these exercises. You will need sudo.

---

G

Guided Step by step - type exactly this and compare the result

>

Exercise G1: Read the Club List

1. Display the system’s group translator file: cat /etc/group.
2. Scroll through. Look for system groups like syslog, www-data (web server), or docker.
3. Locate the sudo (or wheel) group line. Look at the end of the line — you should see your username listed there as a member possessing administrator power.

Exercise G2: Investigating Yourself

1. Run: groups
2. This lists all groups your current session is aware of. The first group listed is your Primary Group. The rest are Secondary.
3. Compare this to the output of the id command. They show the exact same information, but id includes the numeric GIDs.

Exercise G3: The Group Pipeline

1. Let’s create a new team: sudo groupadd avengers
2. Let’s verify it exists by filtering the group file: grep avengers /etc/group
3. Notice the GID integer assigned to it.
4. Delete the team: sudo groupdel avengers

S

Solo Task described, hints available - figure it out

>

Exercise S1: Membership Management

1. Create a group called test_ops.
2. Create a user called test_bob (no home directory needed: sudo useradd test_bob).
3. Add test_bob to the test_ops group safely, using the Append flag.
4. Verify Bob’s membership using the groups test_bob command.
5. Kick Bob out of the group using gpasswd -d.
6. Verify he was kicked out (groups test_bob). Note: Primary group test_bob will remain.
7. Clean up your mess (delete the user and the group).

Exercise S2: Log In State Illusion

1. Open a terminal. Run groups. Notice your current groups.
2. Create a dummy group: sudo groupadd phantom_club.
3. Add yourself to it: sudo usermod -aG phantom_club $(whoami) (the whoami injects your username).
4. Run groups again in that exact same terminal. Notice phantom_club is NOT THERE. The change hasn’t hit your current session.
5. Open a completely NEW terminal window / tab. (This forces a new login session).
6. Run groups in the new window. The phantom_club appears!
7. Close the second window, return to the first, and run sudo groupdel phantom_club to clean up.

M

Mission Real scenario - no hints, combine multiple skills

>

Mission M1: The Group Overwrite Disaster

You are an apprentice sysadmin. The senior admin tells you: “Add the new web developer, charlie, to the docker group.”

1. Create Charlie with some initial groups: sudo useradd -m -G sudo,webdevs charlie (Note: You might need to sudo groupadd webdevs first).
2. groups charlie shows he is in charlie, sudo, and webdevs.
3. Now, intentionally make the catastrophic amateur mistake. Add him to docker using usermod WITHOUT the Append (-a) flag: sudo groupadd docker (if it doesn’t exist). sudo usermod -G docker charlie
4. Run groups charlie.
5. Panic! You just stripped your developer of his sudo admin rights and his webdevs access. He is ONLY in docker now.

Formulate and execute the command to safely restore him to sudo, webdevs, AND docker simultaneously.

(Cleanup: sudo userdel -r charlie and delete any dummy groups you made).