Group File

Each user may belong to zero or more groups, and a group may contain zero or more users and/or other groups. Groups are just abbreviations long lists of users. Group names can be referenced in protection setup file (in mask-group field), and in ACL file (the last field in each line).

Group Declaration

Each line in the group file contains information about one group, and the format is like in the following example (this is called a group declaration:

        groupname: user1,user2,group1,user3,group2

That is, the groupname is followed by a colon followed by a comma-separated list of usernames and/or groupnames in arbitrary order (this list is called a group definition).

A groupname must be defined before it is referenced (and a groupname is not defined inside its own definition). An undefined reference is treated as a username. This guarantees the absence of circular structures in the group hierarchy.

Syntax of Group Definition Part

Group definition part appears not only in the group file, but also

in mask-group field in protection setup file, and
as last item on each line of the ACL file.

Group definitions are in their simples form just one user or group name, or a comma-separated list of them.

IP Address Masks

Any group definition may contain an IP address restriction like:

"anybody from these IP addresses"
"this user from these addresses"
"these users and groups from these addresses"

IP address restriction starts with an at sign @ and is followded by an IP number template. In IP template each of the 4 parts may contain one wildcard character *.

IP address restriction can be on its own when it allows anyone from a matching address:

    cern_site: @128.141.*.*

However, it can also immediately follow a user or group name in which case these users are only allowed if they connect from a matching address:

    ari_at_work: luotonen@128.141.8.187

Lists of Names and IP Address Templates

It is possible to make a list of users and groups, and IP addresses, and combine them all together with parentheses:

    cern_hackers: (luotonen,timbl)@(128.141.8.187, 128.141.244.101)

Continuation Line

Long group definitions can be split on multiple lines after any comma in the group definition:

    wizards: marca, sanders, kevin, dave, montulli, timbl,
             cailliau, hallam, jak
    hackers: marca@141.142.*.*, sanders@153.39.*.*,
             (luotonen, timbl, hallam)@128.141.*.*,
             cailliau@(128.141.201.162, 128.141.248.119)