I have two groups on my machine, groupa and groupb - in groupa I have two users, user1a and user2a.
I would like to grant to members of groupa the privs to access groupb resources (run commands, view files etc). I think this probably involves using visudo, but I may be wrong.
What I would like to achieve is the equivalent of:
usermod -a -G groupb user1a
usermod -a -G groupb user2a
but to do it at the group level so that if in future user3a is added to groupa, the user also automatically has the privs for groupb.
As you may have guessed, Unix admin isn't my main area of operation !
How do I go about it?
Thanks in advance
Rich
You can't do nested groups out of the box, like you could do in Active Directory. A previous question got an answer pointing to Linux trustees.
I think it can't be done, other than by defining your own wrapper for useradd and enforcing it's use or maybe by a cron script that periodically checks members of groupa and, if necessary adds them to groupb.
Using sudo to achieve this requires that the user prefix all their commands with
sudo -g groupb. The user won't BE in thegroupbgroup, the user will just have permission to switch to that group and run commands.visudois the command to edit the sudoers file that controls who is permitted to use sudo for what.Doing this requires at least 1.7.0 and opens a security exploit in versions up to 1.7.4p3
It is probably better to just manually add the user to both groups. A PAM wizard might be able to automate that process, but it would only work for login shells or applications that use PAM for identifying the user rather than reading /etc/group and /etc/passwd directly