Clockwork

res_group(5)

NAME

res_group - Clockwork Resource Type for system group accounts

DESCRIPTION

The group resource manages system group accounts.

ATTRIBUTES

gid

Numeric group ID of this account.

name

Name of this group account.

present

Whether or not this account should exist on the system.

member

Adds or removes a user account from the list of permanent group members.

If set to the name of a user, that user will be added to the group if they do not already belong.

If the username is prefixed with a "!" (as in, negation), that user will be removed from the group if they currently belong to it.

admin

Adds or removes a user account from the list of group administrators.

If set to the name of a user, that user will be added to the group administrator list if they are not already on it.

If the username is prefixed with a "!" (as in, negation), that user will be removed from the group administrator list if they are currently on it.

members

Like member, except that it operates on a space-separated list of usernames to add or remove. Negation rules still apply.

admins

Like admin, except that it takes a space-separated list of usernames to add or remove. Negation rules still apply.

password
pwhash

The (encrypted) password for this account. Group passwords are used to allow non-members to assume temporary membership in a group, if they know the password.

Details of encryption depend on the specific platform and system configuration. Clockwork does not attempt to encrypt or decrypt passwords for groups.

EXAMPLES

Basic Group Management

This example ensures that an admins group exists on the system with a GID of 42. This type of record can be used in conjunction with user resources (see res_user(5)) to define primary groups.

group "admins" {
  gid: 42
}

Member Management

In this example, the policy ensures that the "projectx" group exists, that the users jose, bob and eva belong to the group, and that alice does not.

group "projectx" {
  gid:      1337
  password: "!!"

  # add these users
  member:   "jose"
  member:   "bob"
  member:   "eva"

  # remove these (note the '!')
  member:   "!alice"
}

The password attribute is specified as an invalid hash to ensure membership in the projectx group is managed strictly by the system administrators (and, by extension, Clockwork).

Another way to handle the membership list is via members, like this:

group "projectx" {
  gid:      1337
  password: "!!"
  members:  "jose bob eva !alice"
}

Administrator Management

Management of group administrators works just like group membership management. To ensure that james is an admin in the "projectx" group, but that nick is not:

group "projectx" {
  gid:   1337
  admin: "james"
  admin: "!nick"
}

CAVEATS

1. Primary vs. Auxiliary Groups

Under conventional user and group mechanics, a user's primary group is not included in their list of auxiliary groups. To illustrate, the following policy snippet does not affect joe's primary group:

group "users" {
    gid:    1234
    member: "!joe"
}

user "joe" {
    uid:  100
    gid:  1234
}

joe's primary group will still be users, even through the group definition attempts to remove him.

2. Duplicate GIDs

Clockwork does not attempt to enforce the uniqueness of group GIDs on the local system.

DEPENDENCIES

None.

AUTHOR

Clockwork was designed and written by James Hunt.

The Clockwork website is licensed under the Creative Commons Attribution-NoDerivs 3.0 United States License