The previous article covered Managing Users. Administrators need to be able to not only manage new and existing users, but also the Groups that the users can belong to on a system.
Keep in mind that these skills are more beneficial in a larger network in a domain-style environment than on a single system. If you worked in a corporation with multiple departments then it is much easier to place all users in a department into a single Group for that department. Once you assign permissions to the Group then all users have the same permissions. Of course, if you assign more permissions to specific Users, then those Users will have more permissions above the Group permissions.
NOTE: Be careful giving individual permissions above the Group permissions.
In this article, I will cover the following items:
- Creating Groups
- Modify Groups
- Setting Group Permissions
- Group Passwords
- Deleting Groups
Adding a new group is a very simple process. The command is ‘groupadd’ followed by the new group name. For example, if you wanted a group called ‘techs’ the command would be:
sudo groupadd techs
To verify the group has been created, you can use the command:
grep sales /etc/group
An entry should be found in the ‘group’ file and should be something like the following:
The ‘x’ shows that the Group password has not been set. The Group ID (gid) is 1001 (which will vary depending on whether other groups have been created). The last entry would list the users that are members of the specified group. In this case, there are no members in the new group.
The group modification command is used to only change the members.
When modifying a group we can change the membership only by a single user or multiple users at a time.
Let’s look first at changing a single user’s group memberships. Any groups you list are all of the memberships for that user, the existing memberships are removed. Use the command ‘id -Gn username’. Replace ‘username’ with a username of your choice on your system. The list you get back should be a starter list of group memberships for the specified user. If I use the command on the user ‘tech1’ on CentOS or Ubuntu I would get ‘tech1’. Every new user will have its own group by default and be a member of that group only.
Now, let’s assume we want to add the user ‘tech1’ to the ‘techs’ group. The command would be:
sudo gpasswd -a tech1 techs
The command will add the user ‘tech1’ to the ‘techs’ group. The command allows a single user to be added to a single group. If you wanted to add a user to multiple groups, you could execute the command for each group.
Otherwise, to add the user to multiple groups at once, you need to list groups you want to add to the existing group memberships. So, if I wanted to add ‘tech1’ to the groups ‘techs’, ‘sales’, ‘mgmt’ and ‘research’ I would use the following command:
sudo usermod -a -G techs,sales,mgmt,research tech1
If you run the command ‘id -Gn tech1’ you should see that it is still in the ‘tech1’ group and all the new groups you specified in the command.
Now, if we just created multiple users and need to add them to a group at once, we can use the following command:
sudo gpasswd -M tech1,tech2,tech3,tech4,tech5 techs
The command must include all the users currently in the group. The ‘-M’ will overwrite the existing membership list. To see a list of members in a group, use the following command:
getent group <group name>
NOTE: The group with the same name as a user, such as ‘tech1’ will not show the user ‘tech1’ in the group.
If you want to see the groups that a specific user is a member of, then use the command:
Some changes made to groups will not take effect until the user logs out and logs back in.
Instead of a System Administrator handling all of the groups, a Group Administrator can be specified. A Group Administrator can add or remove an individual user to a group with a single command. The Group Administrator can run ‘gpasswd -a <username> <group name>’. The Group Administrator does not need to use ‘sudo’ since they have permission to change group membership.
To see the administrators for a group you’ll need to look at the file ‘/etc/gshadow’. If I used the command ‘sudo gpasswd -A tech1 techs’ to make the user ‘tech1’ the administrator of ‘techs’, I can check the administrator list. Perform the following command and change the group name as you need:
sudo grep techs /etc/gshadow
I may get a response such as:
The first entry specifies the group ‘techs’. The second section is a ‘!’ which is the password that is not set for the group. The third section specifies the Group Administrator. Keep in mind that there can be more than one administrator. The last section is the list of members of the group.
Let’s assume we want to remove the Group Administrator, we use the command:
sudo gpasswd -A ‘’ techs
The Group Administrator is now set to none. You can look at the ‘/etc/gshadow’ file to check it.
Setting Group Permissions
What if we needed a shared folder for all of the users in the group ‘techs’? The folder would be a great place for the ‘techs’ group to share files that would be beneficial to all the users. In this case, program updates or even new program installation files could be useful.
Let’s start by choosing a location, such as the ‘/home’ folder. If you use the command ‘sudo mkdir /home/techs’. Change the current folder to ‘/home’ with the command ‘cd /home’. You can look at the current settings on the folder with the command ‘ls -ld techs’. You can see the output shows that the owner and group are ‘root’. These need to be changed.
To change the group we can simply use the command ‘sudo chgrp -R techs /home/techs’. The parameter ‘-R’ allows the command to be placed recursively on all files and folders within the folder specified. Since we just created the folder, it should be empty anyway. If we were to assume that the user ‘tech1’ is the tech manager, we can give the tech user ‘tech1’ ownership of the ‘techs’ folder. The command we use would also allow us to change the group as well. The command is ‘sudo chown -R tech1:techs techs/’. The ‘-R’ is still for applying the ownership recursively. The ‘/’ is used to specify that ‘techs’ is a folder and not a file. We can make sure that only the group ‘techs’ and the owner ‘tech1’ have rights to the folder by using the command ‘sudo chmod 770 techs’ (make sure you are in the ‘/home’ folder). Now, we need to set the ‘setgid’ bit so that all new files and folders will be owned by the ‘techs’ group. Use the command ‘sudo chown g+s techs/’. If you run the command ‘ls -ld techs’ you should see that the permissions have changed for the ‘techs’ folder.
Now, within each Home folder of the tech users (tech1, tech2, tech3, etc) we can create a folder named ‘techs’. We will mount this new folder to the ‘/home/techs’ folder with the command ‘sudo mount /home/techs /home/tech1/techs/’. Change the username for each user (in the command the ‘tech1’ folder) for each user.
NOTE: If you have issues with this section, make sure all of the users are in the group ‘tech’. Use the ‘ls -ld techs’ command on the folder to verify that the owner is ‘tech1’ and the group owner is ‘techs’. Also, verify the permission settings on the folder when you use the ‘ls -ld techs’ command.
You can create a file in ‘techs’ with the command ‘touch test.txt’, or use whatever file name you want. Use the ‘ls -ld test.txt’ command to see that the ownership is tech1 and techs. All users in the ‘techs’ group should have full access to the techs folder. You can test the permissions by logging in as a tech user with the command ‘su tech2’ and then entering the password for the user. Switch to the home folder (cd ~) and then to the techs folder (cd techs) to create and edit files.
Setting Group Passwords is a very dangerous tool that should not be used in normal situations. In the last section, we covered making a shared folder for a group. What if we wanted to let a folder be accessible to any user that we wanted, but not initially give everyone permission to that folder?
Let’s look at an example. We looked at giving the ‘techs’ folder access to only the ‘techs’ group. Let’s say we had a folder called ‘everyone’ and set up the folder as we did above. The group ‘everyone’ has full access to the folder. The group has only one member, ‘tech1’. A password is set on the group that is not known to anyone except those that we want to join the group.
NOTE: If someone gives the password to a user that you do not want to have access to the group, then you are out of luck. This scenario is why the group passwords are not perfect.
Create a group that we want to set a password on it. If we follow through with the ‘everyone’ example, we can execute ‘sudo groupadd everyone’. Once the group is created, we can set a password on it with the command ‘sudo gpasswd everyone’. You should then be prompted to set a password and then to verify it. Initially, you may be prompted for your password for using the ‘sudo’ command.
Once the user is logged into the system, they can use the command ‘newgrp everyone’ or ‘sg everyone’ to join the group after they type in the group password. Once the user logs out, they are no longer part of the group until they execute one of the commands to join it again.
If you want to remove a password for a group, use the command ‘sudo gpasswd -r everyone’. The ‘-r’ is used to remove the password.
Any group you have created can be deleted. The command to delete a group is ‘sudo groupdel <group name>’.
If a user has its Primary Group set as the group you are wanting to delete, the command will not work. You need to change the primary group for the user and then retry the group delete.
If a user has the group as a primary group, you will get the user name of the user that has the group as its primary group. You can change the primary group with the command ‘sudo usermod -g <primary group> <username>’. Sometimes it is best to change the primary group name to the same name as the user. Once the change is made, you can try to delete the group again. If another user has the group to delete as a primary group, you will get the username. Change the primary group for the new specified user. Keep trying the deletion command until it does work. Hopefully, you do not need to change a lot of primary groups.
Using groups is a good way to manage multiple users at once instead of individually. Practice these commands and be familiar with them to make sure you truly understand using groups.
In a large environment, groups will make management easier.