Summary: UserLevel Management
Of Unix Group Membership
We describe the design and implementation of a software suite, GrpAdmin, that allows unpriv
ileged users to manage Unix group memberships. We begin by enumerating common problems
associated with traditional group management. We then show how GrpAdmin alleviates these
problems. The final section notes the effects, many of them sociological, anticipated during intro
duction and deployment of the new software.
1. Introduction and Problem Statement
Unix groups, while a powerful concept, are subject to two annoying limitations. First, all group information has tra
ditionally been stored in a single file, /etc/group or equivalent. The ability to change /etc/group confers allornoth
ing powers of group manipulation --- either anything can be done to all groups or nothing can be done to any group.
Thus, for security reasons, group management responsibility has been concentrated in the hands of a relatively small
number of privileged people. This inability to directly delegate responsibility for group management to the people
directly involved with the group (e.g., members of projectrelated group) causes increased communication overhead,
distractions, interrupts and occasional frustrating delays.
A second problem is the limit imposed by Unix on the maximum number (usually 1632) of groups associated with
an individual or process. This limit intrudes when extensive or finegrained groupbased file sharing is required. A
typical example occurs when instructors or TAs must be members of a large number of classspecfic groups. Since
changing group memberships ``on the fly'' is difficult or impossible, it may be necessary for those individuals to sac