This page list the different system groups used on a debian system. System groups are special purpose groups used for system operation like backup, maintenance or for granting access to hardware. They are the low gid of the system group database.

To print the groups the current user is a member of:

$ groups

To print the groups for another user:

$ groups $username

To add a user to a group, as root:

# adduser $username $groupname

as a user with sudo permissions:

$ sudo adduser $username $groupname

and using the ?usermod command:

$ sudo usermod -a -G $groupname $username

Group membership of a user only takes effect on the next login.



Filesystem in Userspace (FUSE) is a filesystem that allows non-privileged users to create their own file systems without editing the kernel code. This is achieved by running the file system code in user space, while the FUSE module provides a "bridge" to the actual kernel interfaces.

FUSE can be used to write virtual filesystems. For instance, a wiki-based filesystem.

Users are allowed to use FUSE if they can read and write to /dev/fuse. Starting with Debian 8 (Jessie), /dev/fuse is world-writeable by default.


Debian 7 (wheezy) and earlier:

/dev/fuse crw-rw---- root fuse 

Debian 8 (jessie) and later:

/dev/fuse crw-rw-rw- root root 

Security implications

FUSE could lead to local DoS for instance creating file a la /dev/null with random content. Moreover they are a past problem in the FUSE kernel code that lead to DoS.

Filesystem created by FUSE are not visible by other user including root in order to avoid DoS. For instance a user that creates an infinite depth filesystem in order to fool updatedb.

More Information

FUSE on Wikipedia FUSE wiki



From Roland Dreier

RDMA stands for "remote direct memory access," and it is a type of high performance networking implemented by ?InfiniBand and some 10 GbE adapters. Part of RDMA is "kernel bypass," which allows userspace process direct access to hardware registers to reduce latency and CPU overhead in performing RDMA operations. wikipedia has a more complete overview.


/dev/infiniband/rdma_cm crw-rw---- root rdma

Security implications

Users that are running high-performance jobs would need access to these device nodes; it makes sense to me that administrators would not necessarily want to allow all users to have direct access to do things that might interfere with other jobs on a high-performance network. Even though in theory it is safe for anyone to use rdma due to kernel protection.

Also, RDMA often requires increasing the amount of locked memory allowed in /etc/security/limits.conf, and doing that by group "rdma" is convenient as well.

More information

wikipedia Roland Dreier answer on unbuntu

Other System Groups

Groups without an associated user

The following groups grant privileges to their members.

Security implications

The group disk can be very dangerous, since hard drives in /dev/sd* and /dev/hd* can be read and written bypassing any file system and any partition, allowing a normal user to disclose, alter and destroy both the partitions and the data of such drives without root privileges. Users should never belong to this group.

To manage removable drives without root privileges, you have to use the groups cdrom for optical drives. Optical drives can usually be mounted in according to the rules in /etc/fstab, but for other removable drives the group plugdev may be more practical. Starting with Debian 8 (Jessie) you need root privileges to format USB and flash memories, because their devices in /dev/ do not belong to the group floppy anymore.

The group kmem is able to read the content of the system memory, potentially disclosing data belonging to other processes.

The users of the group shadow group can read the content of /etc/shadow and /etc/gshadow, containing the hashes of the passwords of other users and groups.

Only admins should belong to the group sudo, because they could execute any command with sudo/pkexec and their own password. Custom rules can be written in /etc/sudoers (through visudo) for any group and any user, in order to allow only a more restricted set of commands to be executed with root privileges. And polkit can be customized too.

The users of the group staff can install executables in /usr/local/bin and /usr/local/sbin without root privileges. By default /usr/local/bin is in the PATH variable of every user, so that the binaries in /usr/local/bin can be executed without having to write their paths. In addition if an executable is created in /usr/local/bin with the same name of one in /usr/bin (or /bin), the former will be executed every time that its path is not specified.

Groups with an associated user

The following groups are not intended to be used directly by other users.

More information

Securing Debian Manual - FAQ n.

Page Copyright


GPLv2 or later at your option


Bastien Roucaries , Mario Bar

see DebianWiki/LicencingTerms for info about wiki content copyright.

CategorySystemSecurity | CategorySystemAdministration