Before you start
Objectives: Learn how to create new groups, manage existing ones, and how to change group membership in Linux.
Prerequisites: no prerequisites.
Key terms: groupadd, groupmod, groupdel, usermod, Linux
Creating and Managing Groups
To add a new group we can use the ‘groupadd’ command. If we only enter the ‘groupadd’, we will see the syntax of the command. For example, to add a group called ‘developers’ we would enter the ‘groupadd developers’ command. To check that our new group is listed we can enter the ‘cat /etc/group’ command which will show us the content of the /etc/group database (file). Note that you will have to use the sudo command to get root privileges, if you are not logged in as root.
In /etc/group file you will notice that there will be groups listed with the same name as users on our machine. Anytime we create a new user, the system automatically create a new group of the same name as the user. Then it makes that group the primary group for that user. However, not all distributions use this method.
If we look at the format of the /etc/group file, we see that each line identifies a group. Each line contains several fields separated by a colon. We see that the first column contains the group name. Then the group password would be next. The next thing is the group ID number.
Groups are typically used for allowing different users to have access to the same things on our system. Because of that we want to allow users to be able to change to different groups themselves so that they can get access to different resources. To restrict user ability to add them to the group, we can assign that group a password. That way, if the user tries to change their group membership to that group, they would have to provide the password.
The last field in the /etc/group file would be a comma delimited list of user IDs that are members of that group. Note that primary group membership is not shown, only secondary group membership users are listed.
We also have a /etc/gshadow file. The gshadow file actually contains passwords for specific groups. The first field is the group name, second is the password, third is the list of administrators of the group, and the fourth is the list of group members.
The second field (group password) can contain exclamation mark (!) which means that the group can’t be accessed using the password. The double exclamation mark (!!) means that no password has been assigned to the group. If there is no value, only group members can log in to the group. To change the group password we can use the ‘gpasswd’ command. For example, if we enter the ‘gpasswd developers’ the terminal will prompt us to enter the password for the group ‘developers’.
To modify groups we can use the ‘groupmod’ command. With this command we can change the group ID, name, etc. To delete a group, we can use the ‘groupdel’ command. To see the syntax, enter the command with the –help option. In our example, we have renamed our ‘developers’ group to ‘devs’. Then we have deleted the ‘devs’ group.
groupmod and groupdel Commands
Note that we can’t add users to the groups using the ‘groupmod’ command. To do that, we have to use the ‘usermod’ command. Let’s check the usermod command syntax.
Notice that we can use the -g to change the primary group for the user, or -G to change the secondary group membership. We can also use the -a option to append user to groups (without removing user from other groups). In our example we have user called ‘demo’ and we want to change the secondary group for that user to the group called ‘sambashare’. To do that we will enter the command ‘sudo usermod -G sambashare demo‘. After that we can check the sambashare group now. We will see a comma separated list of users which are members of that group, including the demo user.