knowledge-base:linux-topics:upg

User Private Groups

The EECS Department IT Staff has implemented User Private Groups for all EECS Linux accounts. Please see below for more information on how this affects you.

Every Linux user/login has an associated “default” or primary Linux group. Traditionally, at EECS, this has been a group name like “faculty” or “graduate” signifying the primary affiliation of that user account. Some of these groups have dozens or hundreds of members. When a new file is created by a user, the group ownership of that file defaults to the user’s primary group, e.g.:

-rwxr-x—. 1 jjsmith1 faculty 2358 Mar 25 2015 myNewFile

In a UPG scheme, every user has an associated, unique group that has the same name. Only the specific user is a member of that group. New files will be created with group ownership set to this “private” group, e.g.:

-rwxr-x—. 1 jjsmith1 jjsmith1 2358 Mar 25 2015 myNewFile

The main reason for using UPGs is to increase internal system security.

  1. Having large catch-all groups significantly increases the risk that users accidentally give access to private files with others. New files are automatically created with the user's primary group “owning” the them. If a file is group-readable or writable (e.g. through an overly permissive umask setting), then said file may now be accessible by many unauthorized users. In an academic environment, this can be an open invitation to cheating.
  2. By having a default group with only the user as member, users have to make a conscious choice to change the group ownership of a file. Intentional sharing of files should be limited to designated research or project-related storage directories.
  3. Most Linux vendors, including Red Hat, switched to UPGs a number of years ago. UPGs are the industry standard for default group assignment.

For more information about why UPGs are more secure than large, catch-all groups, please see:

Any files in your EECS Linux home area and in /research or /storage directories with group ownership of your old EECS default group (e.g. faculty or graduate, etc.) will be changed to your new User Private Group. Files owned by other groups (e.g. project-related groups) will not be affected. The catch-all groups (faculty, undrgrad, graduate, guest) will be retired after this switchover.

Have a look at EECS Linux File Storage for information on how to share files with others.