2019-11-29 21:51:55 +01:00
---
title: JSON Group Records
2020-04-11 18:03:24 +02:00
category: Users, Groups and Home Directories
2019-11-29 21:51:55 +01:00
layout: default
2021-09-14 16:05:21 +02:00
SPDX-License-Identifier: LGPL-2.1-or-later
2019-11-29 21:51:55 +01:00
---
# JSON Group Records
2022-05-18 00:05:38 +02:00
Long story short: JSON Group Records are to `struct group` what
2024-04-17 20:54:45 +02:00
[JSON User Records ](/USER_RECORD ) are to `struct passwd` .
2019-11-29 21:51:55 +01:00
2024-02-26 14:34:45 +01:00
Conceptually, much of what applies to JSON user records also applies to JSON group records.
They also consist of seven sections, with similar properties and
2019-11-29 21:51:55 +01:00
they carry some identical (or at least very similar) fields.
## Fields in the `regular` section
2024-02-26 14:34:45 +01:00
`groupName` → A string with the UNIX group name.
Matches the `gr_name` field of UNIX/glibc NSS `struct group` ,
or the shadow structure `struct sgrp` 's `sg_namp` field.
2019-11-29 21:51:55 +01:00
2024-02-26 14:34:45 +01:00
`realm` → The "realm" the group belongs to, conceptually identical to the same field of user records.
A string in DNS domain name syntax.
2019-11-29 21:51:55 +01:00
2024-02-26 14:34:45 +01:00
`description` → A descriptive string for the group.
This is similar to the `realName` field of user records, and accepts arbitrary strings, as long as
2020-08-06 17:44:57 +02:00
they follow the same GECOS syntax requirements as `realName` .
2019-11-29 21:51:55 +01:00
`disposition` → The disposition of the group, conceptually identical to the
same field of user records. A string.
`service` → A string, an identifier for the service managing this group record
(this field is typically in reverse domain name syntax.)
2024-02-26 14:34:45 +01:00
`lastChangeUSec` → An unsigned 64-bit integer, a timestamp
(in µs since the UNIX epoch 1970) of the last time the group record has been modified.
(Covers only the `regular` , `perMachine` and `privileged` sections).
2019-11-29 21:51:55 +01:00
2024-02-26 14:34:45 +01:00
`gid` → An unsigned integer in the range 0…4294967295: the numeric UNIX group ID (GID) to use for the group.
This corresponds to the `gr_gid` field of `struct group` .
2019-11-29 21:51:55 +01:00
2024-02-26 14:34:45 +01:00
`members` → An array of strings, listing user names that are members of this group.
Note that JSON user records also contain a `memberOf` field, or in other
2019-11-29 21:51:55 +01:00
words a group membership can either be denoted in the JSON user record or in
2024-02-26 14:34:45 +01:00
the JSON group record, or in both.
2019-11-29 21:51:55 +01:00
2024-02-26 14:34:45 +01:00
The list of memberships should be determined as the combination of both lists (plus optionally others).
If a user is listed as member of a group and doesn't exist it should be ignored.
This field corresponds to the `gr_mem` field of `struct group` and the `sg_mem` field of `struct sgrp` .
`administrators` → Similarly, an array of strings, listing user names that shall be considered "administrators" of this group.
This field corresponds to the `sg_adm` field of `struct sgrp` .
2019-11-29 21:51:55 +01:00
`privileged` /`perMachine` /`binding` /`status` /`signature` /`secret` → The
2024-02-26 14:34:45 +01:00
objects/arrays for the other six group record sections.
These are organized the same way as for the JSON user records, and have the same semantics.
2019-11-29 21:51:55 +01:00
## Fields in the `privileged` section
The following fields are defined:
2024-02-26 14:34:45 +01:00
`hashedPassword` → An array of strings with UNIX hashed passwords;
see the matching field for user records for details.
This field corresponds to the `sg_passwd` field of `struct sgrp` (and `gr_passwd` of `struct group` in a way).
2019-11-29 21:51:55 +01:00
## Fields in the `perMachine` section
`matchMachineId` /`matchHostname` → Strings, match expressions similar as for
user records, see the user record documentation for details.
The following fields are defined for the `perMachine` section and are defined
equivalent to the fields of the same name in the `regular` section, and
override those:
`gid` , `members` , `administrators`
## Fields in the `binding` section
The following fields are defined for the `binding` section, and are equivalent
to the fields of the same name in the `regular` and `perMachine` sections:
`gid`
## Fields in the `status` section
The following fields are defined in the `status` section, and are mostly
equivalent to the fields of the same name in the `regular` section, though with
slightly different conceptual semantics, see the same fields in the user record
documentation:
`service`
## Fields in the `signature` section
The fields in this section are defined identically to those in the matching
section in the user record.
## Fields in the `secret` section
Currently no fields are defined in this section for group records.
## Mapping to `struct group` and `struct sgrp`
When mapping classic UNIX group records (i.e. `struct group` and `struct sgrp` )
to JSON group records the following mappings should be applied:
| Structure | Field | Section | Field | Condition |
|----------------|-------------|--------------|------------------|----------------------------|
| `struct group` | `gr_name` | `regular` | `groupName` | |
| `struct group` | `gr_passwd` | `privileged` | `password` | (See notes below) |
| `struct group` | `gr_gid` | `regular` | `gid` | |
| `struct group` | `gr_mem` | `regular` | `members` | |
| `struct sgrp` | `sg_namp` | `regular` | `groupName` | |
| `struct sgrp` | `sg_passwd` | `privileged` | `password` | (See notes below) |
| `struct sgrp` | `sg_adm` | `regular` | `administrators` | |
| `struct sgrp` | `sg_mem` | `regular` | `members` | |
At this time almost all Linux machines employ shadow passwords, thus the
`gr_passwd` field in `struct group` is set to `"x"` , and the actual password
is stored in the shadow entry `struct sgrp` 's field `sg_passwd` .
## Extending These Records
The same logic and recommendations apply as for JSON user records.
## Examples
A reasonable group record for a system group might look like this:
```json
{
"groupName" : "systemd-resolve",
"gid" : 193,
"status" : {
"6b18704270e94aa896b003b4340978f1" : {
"service" : "io.systemd.NameServiceSwitch"
}
}
}
```
And here's a more complete one for a regular group:
```json
{
"groupName" : "grobie",
"binding" : {
"6b18704270e94aa896b003b4340978f1" : {
"gid" : 60232
}
},
"disposition" : "regular",
"status" : {
"6b18704270e94aa896b003b4340978f1" : {
"service" : "io.systemd.Home"
}
}
}
```