17

I need to create a more limited user for the raspberry pi. I can guess what some of these groups do (cdrom, sudo, i2c, spi) but what do some of these other groups do (adm, dialout, pi)?

Here is the list on my pi running jesse lite:

pi adm dialout cdrom sudo audio video plugdev games users input netdev gpio i2c spi

BarrowWight
  • 335
  • 1
  • 3
  • 10

2 Answers2

21

I did a little digging on this and tracked down the purpose for most of the user groups:

pi       User-specific group. A group is automatically created for 
         each new user; you can ignore this.
adm      Allows access to log files in /var/log and using xconsole
dialout  Allows access to serial ports/modem reconfiguration, etc.
cdrom    Uncreatively, this group enables access to optical drives.
sudo     Enables sudo access for the user.
audio    Allows access to audio devices like microphones and soundcards
video    Allows access to a video device like the framebuffer, the videocard or a webcam
plugdev  Enables access to external storage devices
games    Many games are SETGID to games so they can write their high score files. This is explained in policy.
users    Appears to be a Pi-specific group enabling access to 
         /opt/vc/src/hello_pi/ directory and contained files.
input    Appears to give access to the /dev/input/mice folder and nothing else.
netdev   Enables access to network interfaces
gpio     Pi-specific group for GPIO pin access.
i2c      Similar to the above, but for I2C access. 
         Generated after installing i2c-tools.
spi      Similar to the above, but for the SPI bus.
lpadmin  CUPS printer administration.

(Shamelessly cross-posting this from my blog.)

Reference: Debian wiki.

JRI
  • 475
  • 2
  • 8
apnorton
  • 326
  • 2
  • 5
  • 1
    I got here investigating a problem where a new user could not run startx. They needed to be in the video group in order to have access to the framebuffer. – Allen Sep 23 '18 at 05:42
3

The pi group is the default group created for the pi user. Each user has a matching group name.

  • dialout allows access to the serial ports.
  • adm is used for system monitoring tasks and gives access to many of the log files in /var/log.
  • netdev members can manage network interfaces.
  • sudo group members can execute any command (If the goal is to have a lower privileged user, I would not suggest adding your new user to this group. Instead I would add a per command or usename based rule to the sudoers file).

In general you can use google to discover the purpose of a group, by doing something like this: google search, oviously changing the name of the group.

I would suggest that you create you new user without adding them to any additional groups (like the pi group they will be a member of the group with the same name as their username).

And as you find things the new user can not do add the user to specific groups. This is in keeping with the concept of least priviliges.

Steve Robillard
  • 34,687
  • 17
  • 103
  • 109
  • Thanks. All the user is really doing is ping files from a samba share. On a side note, I renames the pi user to my name. How could I change that group name to my new username? – BarrowWight Jul 24 '17 at 05:18
  • You can change a groups name with groupmod an example with more details https://www.computerhope.com/unix/groupmod.htm – Steve Robillard Jul 24 '17 at 05:37