Group identifier (Unix)
From Wikipedia, the free encyclopedia
In Unix-like systems, multiple users can be categorized into groups. POSIX and conventional Unix file system permissions are organized into three classes, user, group, and others. The use of groups allows additional abilities to be delegated in an organized fashion, such as access to disks, printers, and other peripherals. This method, amongst others, also enables the Superuser to delegate some administrative tasks to normal users, similar to the Administrators group on Microsoft Windows NT and its derivatives.
A group identifier, often abbreviated to GID, is a numeric value used to represent a specific group. The range of values for a GID varies amongst different systems; at the very least, a GID can be between 0 and 32767, with one restriction: the login group for the Superuser must have GID 0. This numeric value is used to refer to groups in the /etc/passwd and /etc/group files or their equivalents. Shadow password files and Network Information Service also refer to numeric GIDs. The group identifier is a necessary component of Unix file systems and processes.
The limits on the range of possible group identifiers come from the memory space used to store them. Originally, a signed 16-bit integer was used. Realizing that sign was not necessary—negative numbers don't make valid group IDs—an unsigned integer was used instead, allowing group IDs between 0 and 65535. Modern operating systems usually use unsigned 32-bit integers, which allow for group IDs between 0 and 4294967295. The switch from 16 to 32 bits was originally not necessary—one machine or even one network did not serve more than 65536 users at the time—but was made to elimate the need to do so in the future, when it would be more difficult to implement.
[edit] Primary vs. supplementary
In Unix systems, every user must be a member of at least one group, which is identified by the numeric GID of the user's entry in /etc/passwd. This group is referred to as the primary group ID. A user may be listed as members of additional groups in the relevant groups entry in the /etc/group; the IDs of these groups are referred to as supplementary group IDs.
[edit] Effective vs. real
Unix processes have both an effective (EGID) and a real (PGID) group ID. Normally these are identical, but in setgid process they are different. This is so the setgid process can perform privileged functions using the privileged group, yet easily revert to the non-privileged group when necessary. This is to prevent the calling user from manipulating the process to gain unauthorized access to the privileged group.