adm | Used for system monitoring tasks. Members of this group can read many log files in /var/log, and can use xconsole. Historically, /var/log was /usr/adm, thus the name of the group. |
audio | This group can be used locally to give a set of users access to an audio device. |
cdrom | This group can be used locally to give a set of users access to a CD-ROM drive. |
dialout | Full and direct access to serial ports. Members of this group can reconfigure the modem, dial anywhere, etc. |
dip | The group's name stands for Dialup IP. Being in group dip allows you to use tools such as pppd, pon and poff to make dialup connections to other systems using predefined configuration file(s) in the /etc/ppp/peers directory. |
disk | Raw access to disks. Mostly equivalent to root access. HELP: Well, I have some disk devices in /dev owned by the group, but I can't see the point. On another system, I noticed that some of the files lilo puts in /boot are also owned by disk. I can imagine local uses for such a group, like if you want to give some users in the group direct access to some hard disk. But these uses I've found on my systems seem to preclude doing that easily; if I put a user in group disk here, they'd have write access to the root filesystem. |
fax | Allows members to use fax software to send or receive faxes. |
floppy | This group can be used locally to give a set of users access to a floppy drive. |
input | Members of this group can read events from files under /dev/input. |
kmem | /dev/kmem and similar files are readable by this group, mostly a BSD relic, but any programs that need direct read access to the system's memory can thus be made setgid kmem. |
lpadmin | Allows a user to add, modify, and remove printers from foomatic, cups, and possibly other printer databases. |
plugdev | Members of this group can access removable devices in limited ways without explicit configuration in /etc/fstab. This is useful for local users who expect to be able to insert and use CDs, USB drives, and so on. Since pmount (the original implementor of group plugdev) always mounts with the nodev and nosuid options and applies other checks, this group is not intended to be root-equivalent in the ways that the ability to mount filesystems might ordinarily allow. Implementors of semantics involving this group should be careful not to allow root-equivalence. |
sasl | Users in this group have read/write access to /etc/sasldb and/or /etc/sasldb2, wich are used to authentication with sasl. This is commonly used by IMAP, POP and SMTP servers for authentication. |
scanner | Users in this group can use scanner(s). |
shadow | /etc/shadow is readable by this group. Some programs that need to be able to access the file are setgid shadow. |
src | This group owns source code, allegedly including files in /usr/src. |
ssh | ssh-agent is setgid to ssh in order to prevent ptrace attacks. |
staff | Allows users to add local modifications to the system (/usr/local, /home) without needing root privileges. Compare with group adm which is more related to monitoring/security. Note that the ability to modify /usr/local is effectively equivalent to root access (since /usr/local is intentionally on search paths ahead of /usr), and so you should only add trusted users to this group. Be careful in environments using NFS since acquiring another non-root user's privileges is often easier in such environments. |
sudo | Members of this group may run any command as any user when using sudo or pkexec (from the policykit-1 package, independently of whether the sudo package is installed). |
tape | This group can be used locally to give a set of users access to a tape drive. |
tty | Owns TTY devices and /dev/vcs*, used by write and wall to enable them to write to other people's ttys. |
users | While Debian systems use the user-group system by default (each user has their own group), some prefer to use a more traditional group system. In that system, each user is a member of the 'users' group. |
utmp | This group can write to /run/utmp, /var/log/wtmp, /var/log/lastlog and similar files. Programs that need to be able to write to them (such as X terminal emulators) are setgid utmp. |
video | This group can be used locally to give a set of users access to a video device. |
voice | Voicemail, useful for systems that use modems as answering machines. |
wheel | |
www-data | A group some web servers use. |