Linux Tutorials - Herong's Tutorial Examples - v1.32, by Dr. Herong Yang
Manage User Groups
Provides a tutorial example on how to manage user groups. Use 'groupadd' to add new groups. Use 'usermod -g' to change user's primary group. Use 'gpasswd -a' assign supplementary group membership.
What Is Group? - A Group acts like a bridge on your Linux computer providing users accesses to files that they don't have ownerships.
There are 3 components in using groups to manage file access permissions: Defining a Group, Assigning Users to a Group, and Controlling File Group Access Permissions.
1. Defining a Group - Groups are defined in 3 ways:
1.1. Groups defined by Linux system - Linux systems come with a set of predefined groups like: root, bin, sys, adm, etc.
1.2. Groups defined explicitly - New groups can be defined explicitly using the the "groupadd" command. For example, the following command defines a group called "dba"
root# groupadd dba
You can view existing groups with the "getent group" command. The output format is <group_name>:x:<group_id>.
root# getent group root:x:0: bin:x:1: daemon:x:2: sys:x:3: adm:x:4: tty:x:5: disk:x:6: ... root# getent group dba dba:x:1004:
1.3. Groups defined implicitly - By default, a new group will be created with the same name, when you create a new user. For example, "herong" is a group created while my user name "herong" was created:
root# getent group herong herong:x:1000:
2. Assigning Users to a Group - Users are assigned to groups with 2 types of group membership: primary group and supplementary group.
2.1. Primary Group - A user must be assigned with a single primary group. This will be the default group context when he/she logs in.
You can view the current primary group of a given user with the "id" command. The "gid" field in the output indicates the user's primary group.
root# id herong uid=1000(herong) gid=1000(herong) groups=1000(herong)
You can change user's primary group with the "usermod -g group_name" command. For example, the following command changes the primary group of "joe" to "dba":
root# usermod -g dba joe root# id joe uid=1003(joe) gid=1004(dba) groups=1004(dba)
2.2. Supplementary Group - A user can be assigned with zero, one or many supplementary groups. You can use the "usermod -a -G group_name" command to assign a supplementary group to any given user. For example, the following command appends "dba" as a supplementary group to "jean":
root# usermod -a -G dba jean
You can also use the "gpassword -a user_name" to perform the same task as above:
root# gpasswd -a jean dba Adding user jean to group dba
You can view the supplementary group members of any given group using the "getent group" command. The output format is <group_name>:x:<group_id>:<supplementary_group_members>.
root# group dba dba:x:1004:joe,jean
To remove a supplementary group from a given user, you need to use the "gpassword -d user_name" command:
root# gpasswd -d joe dba Removing user joe from group dba
See the next tutorial on how to control file group access permissions.
Table of Contents