Manage User Groups

This section provides a tutorial example on how to manage user groups. Use 'groupadd' to add new groups. Use 'usermod -g' to change user's primary group. Use 'gpasswd -a' assign supplementary group membership.

What Is Group? - A Group acts like a bridge on your Linux computer providing users accesses to files that they don't have ownerships.

There are 3 components in using groups to manage file access permissions: Defining a Group, Assigning Users to a Group, and Controlling File Group Access Permissions.

1. Defining a Group - Groups are defined in 3 ways:

1.1. Groups defined by Linux system - Linux systems come with a set of predefined groups like: root, bin, sys, adm, etc.

1.2. Groups defined explicitly - New groups can be defined explicitly using the the "groupadd" command. For example, the following command defines a group called "dba"

root# groupadd dba

You can view existing groups with the "getent group" command. The output format is <group_name>:x:<group_id>.

root# getent group
root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
...

root# getent group dba
dba:x:1004:

1.3. Groups defined implicitly - By default, a new group will be created with the same name, when you create a new user. For example, "herong" is a group created while my user name "herong" was created:

root# getent group herong

herong:x:1000:

2. Assigning Users to a Group - Users are assigned to groups with 2 types of group membership: primary group and supplementary group.

2.1. Primary Group - A user must be assigned with a single primary group. This will be the default group context when he/she logs in.

You can view the current primary group of a given user with the "id" command. The "gid" field in the output indicates the user's primary group.

root# id herong

uid=1000(herong) gid=1000(herong) groups=1000(herong)

You can change user's primary group with the "usermod -g group_name" command. For example, the following command changes the primary group of "joe" to "dba":

root# usermod -g dba joe

root# id joe
uid=1003(joe) gid=1004(dba) groups=1004(dba)

2.2. Supplementary Group - A user can be assigned with zero, one or many supplementary groups. You can use the "usermod -a -G group_name" command to assign a supplementary group to any given user. For example, the following command appends "dba" as a supplementary group to "jean":

root# usermod -a -G dba jean

You can also use the "gpassword -a user_name" to perform the same task as above:

root# gpasswd -a jean dba

Adding user jean to group dba

You can view the supplementary group members of any given group using the "getent group" command. The output format is <group_name>:x:<group_id>:<supplementary_group_members>.

root# getent group dba

dba:x:1004:joe,jean

To remove a supplementary group from a given user, you need to use the "gpassword -d user_name" command:

root# gpasswd -d joe dba

Removing user joe from group dba

See the next tutorial on how to control file group access permissions.

Table of Contents

 About This Book

 Introduction to Linux Systems

 Cockpit - Web Portal for Administrator

 Process Management

 Files and Directories

Users and Groups

Manage User Groups

 Group Access Permissions on Files

 "sudo" Command and Privilege

 "adduser/usermod/userdel" - Commands to Manage Users

 System Users and Groups

 Add Users and Groups Manually

 File Systems

 Block Devices and Partitions

 LVM (Logical Volume Manager)

 Installing CentOS

 SELinux - Security-Enhanced Linux

 Network Connection on CentOS

 Internet Networking Tools

 SSH Protocol and ssh/scp Commands

 Software Package Manager on CentOS - DNF and YUM

 vsftpd - Very Secure FTP Daemon

 Postfix - Mail Transport Agent (MTA)

 Dovecot - IMAP and POP3 Server

 Email Client Tools - Mail User Agents (MUA)

 LDAP (Lightweight Directory Access Protocol)

 Administrative Tasks

 References

 Full Version in PDF/EPUB