Add new user to multiple groups using pw.

Phishfry

Phishfry

I am trying to build a function for adding a new user to a NanoBSD build.
What I am unsure about is the pw -g or -G command option.

pw(8)

www.freebsd.org www.freebsd.org

I have two groups I want to add the user to. They are wheel and operator.
-G provides a secondary group comma delineated list of groups where as -g provides a 'primary' group.
So which of these is correct ?
pw adduser -n gui -c 'gui' -d /gui -G wheel,operator -m -s /bin/tcsh -w none
Or
pw adduser -n gui -c 'gui' -d /gui -g wheel -G operator -m -s /bin/tcsh -w none


I may also have to add a video group as well.
pw adduser -n gui -c 'gui' -d /gui -g wheel -G operator,video -m -s /bin/tcsh -w none
 
In my unprofessional opinion, you should prefer -G over -g.

When you use the -g option, the newly created user will not be added to the member list of that group in the group(5) file, unlike with -G:
Code: 
ROOT# grep foo /etc/group
ROOT# pw useradd -n foo -w none && grep foo /etc/group
foo:*:1002:
ROOT# pw useradd -n bar -g foo -w none && grep foo /etc/group
foo:*:1002:
ROOT# pw useradd -n quux -G foo -w none && grep foo /etc/group
foo:*:1002:quux
ROOT# su bar
$ groups
foo
$ exit

Additionally, if the member list for a group is empty in /etc/group, as it was before user quux was added above, deleting a user with the same name as the group will delete the group from /etc/group. This can be accomplished by first deleting user quux, then user foo. Note that the primary login group of user bar is still the GID of the deleted group named foo:
Code: 
ROOT# grep foo /etc/group
foo:*:1002:quux
ROOT# pw userdel -n quux && grep foo /etc/group
foo:*:1002:
ROOT# pw userdel -n foo && grep foo /etc/group
ROOT# su bar
$ groups
1002
$ exit
Tools that rely on group names will break when this sort of scenario occurs.

On the other hand, if user foo was deleted first, group foo would persist, even after deleting users bar and quux, because quux was a member of group foo when you deleted user foo, which would mean you'd have a useless entry in /etc/group once all users of that group were removed. While you'd potentially have useless entries with -G as well, it will at least avoid the situation where the group name disappears for users that continue to use the group.

EDIT
I feel I should also mention that other than that aspect, there's seemingly little difference between the primary login group specified with -g and supplementary groups specified with -G. According to passwd(5):
The group field is the group that the user will be placed in upon login.
Since this system supports multiple groups (see groups(1)) this field
currently has little special meaning.
Click to expand...

Unless I'm missing something, -G is definitely the way to go. If you don't like the user-specific groups that serve no purpose, you can always create a new group just for users and specify that as the primary login group (e.g. -g _users; hopefully no user is named _users).
 
It seems that the -G option is working fine for me.

cust_gui_user() (
pw -V ${NANO_WORLDDIR}/etc/ adduser -n gui -c 'gui' -d /gui -G wheel,operator -m -s /bin/tcsh -w none
)
 
aragats said:
It's happened to me a couple of times that a piece of software refused to run by a user whose primary group was "wheel". Now I cannot remember what software it was.
Click to expand...
On FreeBSD, the primary group for the root and toor users is “wheel”, so maybe it was software that cannot run as root? Whatever it was, nothing in the OS seems to have such a problem, so it was a conscious choice to make the software behave that way.

It's worth mentioning, however, that security(7) recommends against setting a user's primary group to “wheel”, so that would be an insecure solution anyway as they'd be able to use su(1) and would just need the password to gain root access:
One way to make root accessible is to add appropriate staff accounts
to the “wheel” group (in /etc/group). The staff members placed in the
wheel group are allowed to su(1) to root. You should never give staff
members native wheel access by putting them in the wheel group in
their password entry. Staff accounts should be placed in a “staff”
group, and then added to the wheel group via the /etc/group file. Only
those staff members who actually need to have root access should be
placed in the wheel group.
Click to expand...
 
pw usermod <user> -G <groups> replaces all existing secondary groups for that user. In many cases, it is preferable to use pw groupmod <group> -m <newmembers> instead. I.e. the last command inside a
for grp in $groups; do pw groupmod $grp -m $user; done loop.
 
You must log in or register to reply here.
Back
Top