Linux Crash Course – Managing Groups

In this episode of Linux Essentials, we take a look at group management. You’ll see commands such as groupadd and groupdel in action as we navigate concepts around adding groups, removing groups, assigning/removing users to groups, and more!

YouTube player

Most videos in this series can be viewed in any order, but I do recommend that you watch the video about user management first before this one. Either way, if you already know how to add users, we can continue. Let’s talk about groups.

Files have a user and group that owns them.

ls -l

In the output, we can see which user owns the file, and which group owns the file. If the output of the ls -l command or permissions confuses you at all, I have a dedicated video about permissions, if you want to brush up on permissions.

Groups are a great thing when it comes to user management, because it helps you place users into categories. For example, you can have an accounting group, and all users in the accounting department will be a member of that group. You can give a user access to accounting files by simply adding them to the group, which is better than adding that user to each file manually. That would take a long time. We’ll see examples of that shortly.

But first, what groups am I a member of?

groups

By executing the groups command, by itself, it will show you a list of groups you’re a member of.

You can also query the groups for a user other than yourself:

groups foxmulder

Reading group memberships doesn’t require root privileges, so I didn’t even need to switch to root or use sudo in order to view that.

In the users video, I talked about the /etc/passwd file:

cat /etc/passwd

I’m not going to go over all of the content of that file again, since I did so in the user management video. But the quick summary is that the /etc/passwd file lists all the user accounts on the system, and I bring that up because there’s actually a dedicated file for groups as well:

cat /etc/group

And this file is relatively simple. Each group is listed on its own line. There’s a Group ID listed for each, or GID for short. Each GID is unique, you can’t have two groups with the same GID.

On the far left, we have the name of the group. You’ll even notice that there’s a group here that has the same name as my user id, that’s normal and quite common. Some distros will put your user in a group called users for example, while others, like you see here, creates a group for each user account with the same name.

The /etc/group password is broken down into columns, each separated by a colon. We’ve already gone over several of the columns, you know what the GID is now, and the username is there on the left. The second column is an “x” for each, and that is where the group password would be set, if there was one. But group passwords are not common, and are somewhat of a security risk. Since they’re really not used much, if at all nowadays, we’re not going to discuss group passwords, so we’ll skip talking about this second field any further.

Third, we have the GID, which we’ve already discussed.

And the last column, we have a comma separated list of users that area member of that group. Many of these don’t have a user listed at the end, which means that there are no users that are a member of that group. Quite a few of these are unused.

So, how do you create a new group? That’s simple, we can use the groupadd command:

sudo groupadd gamers

I added a group called gamers, because wouldn’t it be cool if your company had a gamers department where they were paid to play video games? Well I can dream, but that’s probably not going to happen, so let’s use the groupdel command to delete that group:

sudo groupdel gamers

Right away, I just showed you two new commands. groupadd and groupdel, and they’re simple commands. One of them adds a group, the other removes a group. So now, you know how to add and remove groups from your system.

But as with most things when it comes to Linux, there’s more to groups than that. I haven’t even shown you how to add a user to a group yet. I’ll cover that shortly. But first, I want to make sure that you are aware of the fact that there’s two types of group memberships, a user has a primary group, and also secondary groups.

If we look at the /etc/passwd file, there’s a GID listed there. That GID is associated with whatever the user’s primary group happens to be. And you can change the primary group anytime. But the GID you see here is what the primary group is for that user at this point in time.

cat /etc/passwd

What’s the difference between a normal group and a primary group? Well, nothing. They’re both groups, and in the /etc/group file, none of the groups are identified as primary or not, so when I refer to “primary” group, that’s not a different class of groups. It’s just that for each user, one group is added to them that’s considered the primary group. And any group that’s available can be the primary group for that user. A primary group for a user is applied to things that are spawned from that user, such as files or processes, but that’s outside the scope of this video. For now, just remember that primary groups are added to the user when they’re created, it can be changed, and any group you add to a user after the primary are all secondary group memberships.

So let’s add a group to a user. There are multiple commands available that you can use to assign a user to a group, my go to has been the usermod command. The usermod command isn’t specific to groups, it’s actually a command you can use to modify a user account, and group membership is just one of the things the usermod command allows you to change.

So, I’ll create a new group, as we did before:

sudo groupadd server-admins

And next, I’ll add a user to that group. I’ll add the foxmulder user I created in a previous video to that group.

First, let’s check the users group memberships as of now:

groups foxmulder

And now, let’s add the new group to that user:

sudo usermod -aG server-admins foxmulder

The way the command breaks down, is that with usermod, I’m adding the -a option because I want to append. I don’t want to replace. Then, I add the -G option, and I add that to clarify that what I want to edit is group membership. Next, I add the name of the group I want to work with, and then finally the name of the user I want to add to that group.

And the changes take effect immediately:

groups foxmulder

However, if that user is currently logged in, then they won’t have access to that group until they log out and log in. Group memberships are read when the user logs in.

To see that in particular, I’ll add my own user to that group:

sudo usermod -aG server-admins jay

But that hasn’t taken effect yet:

groups

Notice that I omitted the name of the user, because I’m querying my own user, so the groups command will default to whatever user you’re currently logged in with. If I enter that command again after I log out and log in again, it will show the new group membership.

But if I do add my username to the groups command, despite the fact that my username is implied if I don’t include it, I get different results:

groups jay

With that command, I’m telling it to give me a list of groups my user is a member of, but it’s not using my current session, so it gives me all the groups that I’m a member of (even though I need to log out and log in to take advantage of the new group assignment).

So, how do you change the primary group of a user? That’s relatively simple:

sudo usermod -g serveradmins foxmulder

Notice that I used a lowercase g, instead of an uppercase G like before. Also notice I’ve omitted the -a option as well. I don’t necessarily recommend that you change the primary group of a user though, unless you want to go through your system and correct permissions and such for the files you own, and other oddities may happen, so I’m not going to execute that command. But I did want you to be aware of it.

Another benefit of good group management, and it’s probably one of the most practical examples, is openssh. You don’t have to follow along with this part, you can simply watch. Unless you really do want to modify openssh. But you may not even have the openssh server installed, so it’s probably best to just watch.

sudo nano /etc/ssh/sshd_config

There’s a special option, that’s usually not present at all by default. It’s called AllowUsers. I can add it like this:

AllowUsers jay foxmulder danascully thedoctor spock

So as you can see, I have added some users to the AllowUsers option, each separated with a space. If I were to save this file, then restart the openssh server, then only those users would be able to log in via ssh. And that’s not a bad security approach at all, it’s perfectly valid. You should absolutely restrict who can log in to your server. But AllowUsers is a pain to manage.

Instead, I can include AllowGroups:

AllowGroups ssh-users

There, I have one group. I won’t need to edit the ssh config file again to add a user to the server. I can simply add and remove users to that group, and the changes take effect immediately going forward. If you do decide to implement AllowGroups on your server, absolutely make sure you create the group and add your user to it, or you’ll get locked out. And you can call the ssh-users group anything you want, and it doesn’t really matter. Just make it consistent.

I’ll leave you with another command that’s related to group management, the gpasswd command. You can also use that to add a user to a group:

sudo gpasswd -a foxmulder ssh-users

So, you can use that command in place of the usermod command. Pick your favorite. I bring up the gpasswd command not just because I wanted to show you an alternate command, but also because you can easily use it to remove a user from a group:

sudo gpasswd -d foxmulder ssh-users

And that’s about it.