Linux Group Management

The Linux Newbie Guide

⇒

Fundamentals

Advanced

Supplement

Command Index

ENG⇒中

Group Management

1.0 Group Management
/etc/group
/etc/gshadow
groupadd: Create a new group
vigr : Edit /etc/group
groups : List the groups a user belongs to
newgrp : Switch to a different group
gpasswd : Set group password and manage members
groupmod : Modify a group
groupdel : Delete a group
1.1 Collaborative Group Work
chgrp : Change the group ownership of a file
chown : Change File Ownership

ENG⇒中 ENG⇒中
1.0 Group Management

When using the useradd command to create a new user account, a default group with the same name as the user account is automatically created. However, the group name does not have to match the user account name, and a user can be a member of multiple groups to facilitate collaborative group work and resource sharing.

Similar to the important configuration files "/etc/passwd" and "/etc/shadow" for user accounts, the corresponding files for groups are "/etc/group" and "/etc/gshadow". These files are relatively simpler as they lack time-related fields.

/etc/group
The configuration file "/etc/group" can only be edited by the root user and follows a format where each line consists of four fields separated by colons ": " :
"Group Name:Password:GID:Members". The details of each field are as follows:

Group Name:
The name of the group.。
Password:
If the field displays "x" or "!", it indicates that the password has been moved to the shadow file "/etc/gshadow".
GID (Group ID):
The unique identifier for the group.
Members
A comma-separated list of members belonging to the group.

Example:

# tail -n4 /etc/group
aaa:x:500: ←The group "aaa" has a group ID of 500
hr:x:501:ccc,bbb ←The group "hr" has an ID of 501, and its members include "ccc" and "bbb"
ccc:x:502:
bbb:x:503:

/etc/gshadow
"/etc/gshadow" serves as the shadow file for the password field (second field) in "/etc/group". It also follows a format with four fields separated by colons ":" :
"Group Name:Password:Admin:Members". The details of each field are as follows:
1. Group Name :
  The name of the group, which should be the same as the corresponding entry in "/etc/group" (the first field).
2. Password :
  The password from the second field in "/etc/group" is mapped here. If the field starts with "!", it indicates that the group is locked (non-group members' accounts cannot use this group).
3. Admin:
  If there are administrators for the group, they are listed here.
4. Members :
  This field should match the Members field (fourth field) in "/etc/group".

^ back on top ^

groupadd : Create a new group
The reason why we still need the groupadd command to create a new group despite having the "-g" or "-G" options in the useradd command to create a primary or supplementary group for a user is as follows:

When using the useradd command with the "-g" option, you can specify the primary group for the user, and with the "-G" option, you can specify supplementary groups for the user. However, in order for a user to be added to a supplementary group, the group name must already be recorded in the "/etc/group" file (and its corresponding entry in "/etc/gshadow"), otherwise, the system will reject the addition.

To create a new group and record its name in "/etc/group," the "groupadd" command is used.

Let's experiment to illustrate this:

Experiment to create a supplementary group (logged in as Superuser):

# useradd ccc -G sub_grp ←Create a new user "ccc" and add them to the supplementary group "sub_grp"
useradd: unknown group sub_grp ←The "sub_grp" group is unknown

As you can see, we couldn't create the user "ccc" and add them to the "sub_grp" supplementary group simultaneously because the group "sub_grp" didn't exist in the "/etc/group" file.

To resolve this, we use the groupadd command to create the group "sub_grp":

Example:

# groupadd sub_grp ←Create a new group "sub_grp"
# tail -4 /etc/group ←Check if it's recorded in "/etc/group"
haldaemon:x:68:
aaa:x:500:
bbb:x:501:
sub_grp:x:502: ←New group is added here. :-)
# useradd ccc -G sub_grp ←Now, we can create the user "ccc" and add them to the supplementary group "sub_grp"
# tail -4 /etc/group ←Check "/etc/group" again
vboxsf:x:491:
aaa:x:500:
bbb:x:501:
sub_grp:x:502:ccc ←The "sub_grp" group now includes the user "ccc."
ccc:x:503:

Now, after adding the supplementary group to the newly created user, you can use the newgrp command to switch between the primary group and supplementary groups.

vigr : Edit /etc/group
The command groupadd is primarily used to add a group name to the files "/etc/group" and "/etc/gshadow" in Linux. You can also utilize the vigr command with the vi text editor to open and modify the "/etc/group" file. When editing this file, if it has been modified, the system will prompt you to update the "/etc/gshadow" file as well. This approach achieves the functionality of both groupadd and groupdel commands, enabling the addition and deletion of groups.

List the groups a user belongs to
In the example provided, we have created a new user account named "ccc" and added them to a supplementary group named "sub_grp." Now, let's demonstrate how to switch between the primary group and supplementary groups using the newly created user account "ccc." Please make sure the Superuser sets a password for the new user "ccc" using the passwd command before testing, as the user won't be able to log in without a password. Example: (Continuation of the previous example, using the newly created user "ccc" to demonstrate)

[ccc@localhost ~]$ groups ←List the groups that the current user account belongs to
ccc sub_grp ←The user "ccc" belongs to two groups, which are "ccc" and "sub_grp"

In the example above, the groups command lists the groups to which the current user account "ccc" belongs. The first group displayed in the list is the effective group, which is the primary group of the user. In this case, the primary group of the user "ccc" is "ccc," and the supplementary group is "sub_grp."

newgrp : Switch to a different group
In the example provided, we have demonstrated how to use the newgrp command to switch between groups listed in the groups output. The newgrp command executes a subshell with the specified group, and you can use exit to return to the original group.

Example: (Continuation of the previous example, using the newly created user "ccc" to demonstrate)

[ccc@localhost ~]$ newgrp sub_grp ←Switch to the "sub_grp" group
[ccc@localhost ~]$ groups ←Check if the effective group has changed to "sub_grp"
sub_grp ccc ←"sub_grp" is now the first group in the list
[ccc@localhost ~]$ echo 'hello' > test_grp.txt ←Create a file and see the group ownership
[ccc@localhost ~]$ ls -l test_grp.txt
-rw-r--r-- 1 ccc sub_grp 15 2016-09-06 14:26 test_grp.txt ←The file now belongs to "sub_grp" group
[ccc@localhost ~]$ exit ←Exit the current subshell, and the group will revert to the original "ccc" group
[ccc@localhost ~]$ groups ←Check if the group has returned to the original "ccc" group
ccc sub_grp ←"ccc" is now the first group in the list again

The effective group switched using newgrp is temporary and only valid within the subshell. When you use exit or restart the system, the group will revert to the default group (primary group).

^ back on top ^

gpasswd : Set group password and manage members
When a system administrator uses the useradd command to create a new user account without the -G option to add additional groups, they can later use the gpasswd command to add groups. The gpasswd command has two main functions: creating a group password and adding/removing group members. Only the Superuser and group administrators can use gpasswd. Here's a breakdown of the usage:

Syntax:gpasswd [-otpiton] [USER_NAME][MEMBER]
Command name/Function/Command user	Options	Function
gpasswd/ set group password and members/ Superuser & Group administrator	-a	Add a user to a group (updates the "member" field in both "/etc/group" and "/etc/gshadow")
	-d	Remove a user from a group (updates the "member" field in both "/etc/group" and "/etc/gshadow")
	-A	Specify a group administrator (Superuser-only option, adds the specified admin to the "Admin" field in "/etc/gshadow")
	-r	Remove the group password (removes the password field in both "/etc/group" and "/etc/gshadow")
	-R	Lock the group (prefix the password field in "/etc/gshadow" with "!")
	--help	Displays the command's built-in help and usage information

Now, let's explain the concept of the group password. When using the gpasswd command without options, it sets a group password. This password is only required when non-group members want to switch to that group using the newgrp command. For example, if we have a group named "sub_grp" with a member "ccc," switching to "sub_grp" using newgrp won't require a password. However, non-group members would need to enter the password to switch to "sub_grp."

Let's try an example:

(Sign in as Superuser, continuing from the previous example)

# gpasswd sub_grp ←Set a password for the "sub_grp" group
Changing the password for group sub_grp
New Password: ← Enter the desired password
Re-enter new password: ←Confirm the password
# su - aaa ← Switch to the "aaa" account (a non-member of "sub_grp" to test)
$ newgrp sub_grp ← Join the "sub_grp" group using the "aaa" account
Passwd: ←Enter the group's password to join "sub_grp"

Additionally, if the group has no password set or if the group is locked using gpasswd -R, non-group members will never be able to use that group.

As a shortcut, the Superuser can designate a specific account as the group administrator for each group. The group administrator can then execute gpasswd to manage that particular group (the group administrator doesn't have to be a member of the group).

Here are some other examples:

# gpasswd -a aaa sub_grp ← Add the "sub_grp" group to the "aaa" account
# gpasswd -d aaa sub_grp ←Remove the "aaa" account from the "sub_grp" group
# gpasswd -r sub_grp ←Remove the password for the "sub_grp" group
# gpasswd -A aaa sub_grp ←Set the "aaa" account as the group administrator for "sub_grp."
# gpasswd -R sub_grp ←Lock the "sub_grp" group (others can't join using newgrp, only reset password to unlock)

By using the gpasswd command effectively, Linux system administrators can manage group memberships and passwords with ease.

^ back on top ^

groupmod : Modify a group
The groupmod command is used to modify existing groups, and its most important function is to change the group name. Here's how you can use groupmod:

Syntax:groupmod [-otpiton] [NEW_GROUP][OLD_GROUP]
Command name/Function/Command user	Options	Function
groupmod/ modify group/ Superuser	-g	Modify the GID (Group ID).
	-o	Used in conjunction with -g to specify a non-unique GID
	-n	Change the group name
	--help	Displays the command's built-in help and usage information

Example:

# groupmod -g 800 -o sub_grp ←Change the GID of the group "sub_grp" to 800
# groupmod -n hr_grp sub_grp ←Rename the group "sub_grp" to "hr_grp" (new name comes first)

When using useradd to create user accounts, if you are not satisfied with the default group name, you can use groupmod -n NEW OLD to change the default group name. Additionally, this will automatically update the group name for previously created files associated with that group to the new name.

groupdel : Delete a group
The groupdel command is used to delete groups in Linux. Its usage is straightforward: groupdel GROUP. However, only the Superuser (root) can execute this command.

It's important to note that groupdel can only delete supplementary groups but not the primary group of any user. The primary group of a user cannot be deleted as it is associated with that user's ownership and permissions on files and directories.

^ back on top ^

1.1 Collaborative Group Work
The purpose of group management in Linux is to facilitate the sharing of resources, typically involving directories and files.

When it comes to directories, one way to achieve resource sharing is by setting the "Set Group ID Bit" (SGID) on a directory. This means that regardless of who adds a file to that directory, the file's group ownership will automatically match the group ownership of the parent directory.

Another method involves having multiple user accounts set to the same group or adding them to an additional group. Then, the shared directory or file can have its group ownership set to a common group name shared among the users. This allows users within that group to access and collaborate on the shared directory or file, provided the permissions of the files and directories are set correctly.

To change the group ownership of a file or directory, the chown and chgrp commands can be used.

chgrp : Change the group ownership of a file
If it is a regular user, the chgrp command can only change the group name of a file within the scope of group memberships. In other words, they can only change the group to a group they are a member of.

However, if the Superuser (root) changes the group name using chgrp, the new group name must be recorded in the system's group database, typically located in the "/etc/group" file, for the change to take effect and be recognized by the system.

Here's the detailed syntax for chgrp:

Syntax:chgrp [-otpiton] [GROUP] FILE/DIRECTORY
Command name/Function/Command user	Options	Function
chgrp/ change group owne/ Any	-c	Show only the modified parts
	-f	Do not display errors
	-h	Change the group for symbolic links but not the target file
	-R	Recursively change the group for all files and subdirectories
	-v	Display the process of changing ownership
	--help	Displays the command's built-in help and usage information

Example:

# chgrp rd_grp file ←Change the group ownership of "file" to "rd_grp"
# chgrp -R sub_grp ~/homework ←Change the group ownership of all files and subdirectories within the "homework" directory in the home directory to "sub_grp"

chown : Change File Ownership
The chown (chage owner) command in Linux is used to change the ownership of files and directories. Ownership in Linux refers to the user and group associated with a file or directory. Only the superuser (root) or the current owner of a file can change its ownership using the chown command. The basic syntax of the chown command is chown [OPTIONS] OWNER[:GROUP] FILE(s)

Here's what each component of the syntax means:

OWNER: This is the new owner that you want to assign to the file(s) or directory. It can be a username or a numeric user ID (UID). If you only specify the owner, the group ownership remains unchanged.
GROUP: This is the new group that you want to assign to the file(s) or directory. It can be a group name or a numeric group ID (GID). If you don't specify the group, the file's group remains unchanged.
FILE(s): This represents the list of files or directories whose ownership you want to change.

Its detailed option is as follows

Syntax:chown [-otpiton][USER][.][GROUP] FILE/DIRECTORY
Command name/Function/Command user	Options	Function
chown/ Change File Ownership/ Any	-c	Show only the modified parts.
	-f	Do not display errors
	-h	Change the owner for symbolic links but not the target file
	-R	Recursively change the owner for all files and subdirectories
	-v	Display the process of changing ownership
	--help	Displays the command's built-in help and usage information

^ back on top ^