A group is simply a list of users. Groups are identified by their group name and GID (Group ID). In FreeBSD (and most other UNIX® like systems), the two factors the kernel uses to decide whether a process is allowed to do something is its user ID and list of groups it belongs to. Unlike a user ID, a process has a list of groups associated with it. You may hear some things refer to the “group ID” of a user or process; most of the time, this just means the first group in the list.
The group name to group ID map is in /etc/group. This is a plain text file with four colon-delimited fields. The first field is the group name, the second is the encrypted password, the third the group ID, and the fourth the comma-delimited list of members. It can safely be edited by hand (assuming, of course, that you do not make any syntax errors!). For a more complete description of the syntax, see the group(5) manual page.
If you do not want to edit /etc/group manually, you can use the pw(8) command to add and edit groups. For example, to add a group called teamtwo and then confirm that it exists you can use:
Example 14-7. Adding a Group Using pw(8)
# pw groupadd teamtwo # pw groupshow teamtwo teamtwo:*:1100:
The number 1100 above is the group ID of the group teamtwo. Right now, teamtwo has no members, and is thus rather useless. Let's change that by inviting jru to the teamtwo group.
Example 14-8. Setting the List of Members of a Group Using pw(8)
# pw groupmod teamtwo -M jru # pw groupshow teamtwo teamtwo:*:1100:jru
The argument to the
-M option is a comma-delimited list of
users who are to be in the group. From the preceding sections, we know that the password
file also contains a group for each user. The latter (the user) is automatically added to
the group list by the system; the user will not show up as a member when using the
groupshow command to pw(8), but will show
up when the information is queried via id(1) or similar tool.
In other words, pw(8) only manipulates
the /etc/group file; it will never attempt to read additionally
data from /etc/passwd.
Example 14-9. Adding a New Member to a Group Using pw(8)
# pw groupmod teamtwo -m db # pw groupshow teamtwo teamtwo:*:1100:jru,db
The argument to the
-m option is a comma-delimited list of
users who are to be added to the group. Unlike the previous example, these users are
added to the group and do not replace the list of users in the group.
Example 14-10. Using id(1) to Determine Group Membership
% id jru uid=1001(jru) gid=1001(jru) groups=1001(jru), 1100(teamtwo)
As you can see, jru is a member of the groups jru and teamtwo.