ONE PAGER: GROUPS: PRIMARY, SECONDARY, ACTIVE LEVEL 2

###############################################################################

Each and every file and directory, in a unix system, has a user-owner, which matches
one of the user-accounts defined in the system's /etc/passwd file. This user-owner attribute
determines basic control-of and access-to any file or directory. Besides a user-owner, there
is also a group, which (a) is also attached to any file or directory and (b) contains zero or
more user-accounts as "members". Groups and their members are defined in the /etc/group file
and also contribute to the control-of and access-to any file or directory.
There are three categories of groups: primary, secondary, and active.
A user's primary group membership (only one) is defined in the 4th field of the
/etc/passwd file --e.g.,

george:x:1074:10:George Porjy:/export/home/george:/bin/ksh

A user's secondary group memberships (zero or more) are defined in the 4th field of
the /etc/group file --e.g.,

fish::377:george,sally,sam,mary

Primary-group and secondary-group memberships determine exactly which files and

directories any user has access to, besides the ones that are directly owned by that user
(user-owner). If the fish group is attached to a file or directory and if user george is a
member of the fish group ——whether primary group or secondary, it makes no difference in
Solaris or most versions of Unix/Linux—— then george has the same access to that file or
directory that has been granted to the fish group for that file or directory.
Of course, if each and every file and directory (in unix) has both a user-owner and a
group attached to it and if a particular user belongs to two or more groups (one primary and
one or more secondary) then that begs the question: Which of these groups will be
automatically attached to any new file or directory created by that user? The obvious answer
--the primary group-- is actually incorrect.
A user's active group is the group that automatically gets attached to any files and
directories created by that user. For the entire duration of a Solaris user's login-session,
a user simultaneously belongs to his primary group and all of his secondary groups but has
(must have) exactly one active group at any one moment in time during that login-session.
The significance of primary vs secondary groups is simply that the primary group is the one
that is the user's active group each time that user first logs into the system! That is the
only significance of the primary group!
Now this begs the question of how you change your active group. The newgrp command is
used to change one's active group.
If user george is about to do some work on the fish project and he wants to create a
few files and directories that will automatically have the fish group attached to them, he
simply runs the following command:
# newgrp fish

To confirm that his active group is now fish, he can now run "id" or "id -a":
# id
uid=1074(george) gid=377(fish)
# id -a
uid=1074(george) gid=377(fish) groups=10(staff),377(fish),378(mammal)

The significance of the group password ——second field in /etc/group, typically unused
—— is that, if you don't officially belong to a group but you want to switch to that group as
your active group, you can do so ——using the newgrp command—— if (a) a password has been
assigned to that group and (b) you know the password. For example, run "newgrp fish" and you
will be prompted for the password. After switching the active group, you have access to that
groups other files and directories also, for the time being ——this does not permanently add
you as a member of that group. To assign a password to a group, copy & paste a 13-character
encrypted-password from /etc/shadow into the second field of the appropriate /etc/group line.
(Adminsuite-2.0 in Solaris-2.6 and earlier has a GUI way to set the password.)
The groups command lists all of your groups, beginning with the primary. It does not
tell you which one is your active group.

--John Reed Avery, 2000/Oct/19 (updated 2011/Apr/04)

###############################################################################