Click on each book below to review & buy on Amazon.
As an Amazon Associate, I earn from qualifying purchases.
RHCSA - Manage Users & Groups: Create, delete, and modify local groups and group memberships
/etc/group File
The /etc/group file is a plain text file that contains a line for each group on the system. Each line consists of several fields separated by colons (:), representing different attributes of the group. The fields in the /etc/group file are as follows:
- Group Name: This field contains the name of the group. It is used to identify the group.
- Password: Similar to the
/etc/passwdfile, the/etc/groupfile historically stored the encrypted password for the group. However, modern Linux systems store the password hashes in a separate file, such as/etc/gshadow. In the/etc/groupfile, this field is typically represented by a placeholder, such asxor*. - Group ID (GID): The GID field stores a unique numeric identifier for the group. Each group on the system must have a distinct GID.
- Group Members: The Group Members field lists the usernames of the users who are members of the group. Multiple usernames are separated by commas.
/etc/gshadow File
The /etc/gshadow file is another plain text file that works in conjunction with the /etc/group file to store additional group-related information, particularly sensitive data. It's used to enhance security and control over group management on the system.
The fields in the /etc/gshadow file are as follows:
- Group Name: This field corresponds to the name of the group for which the entry is created in the file. It is used to identify the group.
- Encrypted Password: Similar to the
/etc/passwdfile, the/etc/gshadowfile used to store encrypted passwords for groups. - Administrators: The Administrators field lists the usernames of users who are granted administrative privileges over the group. These users can modify group membership and other attributes. This field helps control group management responsibilities.
- Members: The Members field contains the usernames of users who are members of the group. It specifies the user accounts that belong to the group. Each username is separated by commas.
Creating Local Groups
The groupadd command is used to create new groups and allows system administrators to specify various parameters and settings during the group creation process.
The below table shows some of the most common options to use with the groupadd command:
| Option | Description |
|---|---|
-g, --gid |
Specifies the Group ID (GID) for the group. This numeric identifier uniquely represents the group within the system. Use this option to set a specific GID for the newly created group. |
-r, --system |
Creates a system group. System groups are typically used for system-related purposes and are identified by a GID below 1000 in most cases |
-f, --force |
Forces the creation of the group, even if a group with the same name already exists. By default, if a group with the specified name already exists, groupadd would not create a new group. This option overrides that behavior and ensures the creation of the group regardless of existence. |
The below exercises will get you creating groups:
Create a normal group:
sudo groupadd -g 2222 norm_group
Confirm the group was created:
getent group norm_group
Output will show the group was created and has group ID 2222:
norm_group:x:2222:
Create a system group:
sudo groupadd -r sys_group
Confirm the group was created:
getent group sys_group
Output will show the group was created and has group ID less than 1000:
sys_group:x:975:
Modifying Local Groups
The groupmod command allows you to modify group attributes and settings. It provides a flexible way to update group properties without recreating the entire group.
Here are some common options you can use with the groupmod command:
| Option | Description |
|---|---|
-n, --new-name NEW_GROUPNAME |
Changes the name of the group to the specified NEW_GROUPNAME. |
-g, --gid GID |
Sets the new group ID to the specified GID. |
The below exercise will get you modifying groups:
Change name and group ID for a group:
Rename norm_group to renamed_group and change the group ID to 3333:
sudo groupmod -g 3333 -n renamed_grp norm_group
Confirm the group was renamed:
getent group renamed_grp
Output will show the group was created and has group ID less than 1000:
renamed_grp:x:3333:
Modifying Local Group Membership
The usermod command is used to modify existing user accounts on the system. It allows system administrators to change various attributes of a user account, such as the user's home directory, default shell, user ID (UID), group ID (GID), supplementary groups, and more.
The table below outlines the options with the usermod command that relate to group membership:
| Option | Description |
|---|---|
-g, --gid |
Change the primary group ID (GID) for the account. |
-G, --groups |
Change additional supplementary groups for the account. |
-a, --append |
Append user to supplementary groups (used with -G). |
Below is an example exercise demonstrating the use of usermod to modify an existing users group membership.
Create a user:
This user will be used to practice amending group membership on:
sudo useradd grp_user1
Confirm the user was created and what groups they are apart of:
id grp_user1
Output will show they are only a member of their own group grp_user1:
uid=1006(grp_user1) gid=3334(grp_user1) groups=3334(grp_user1)
Add a user to existing groups:
Add the grp_user1 user to the groups created earlier (sys_group and renamed_grp):
sudo usermod -aG sys_group,renamed_grp grp_user1
The -a option ensures that a group is appended.
Confirm the change in group membership took place:
id grp_user1
Output will show they are now members of the sys_group and renamed_grp groups:
uid=1006(grp_user1) gid=3334(grp_user1) groups=3334(grp_user1),975(sys_group),3333(renamed_grp)
Amend a users primary group:
Amend the grp_user1 user so that the primary group is renamed_grp:
sudo usermod -g renamed_grp grp_user1
Confirm the change in group membership took place:
id grp_user1
Output will show the primary group of renamed_group with all groups membership of sys_group and renamed_grp. Notice how although we specified changing the primary group, the grp_user1 group is no longer present in the groups list at all:
uid=1006(grp_user1) gid=3333(renamed_grp) groups=3333(renamed_grp),975(sys_group)
Explicitly set the supplementary groups for a user:
Explicitly set supplementary group membership to wheel only, which removes the grp_user1 user from any existing supplementary groups they are a member of:
sudo usermod -G wheel grp_user1
Confirm the change in group membership took place:
id grp_user1
Output will show the groups list now only contains the primary group and the wheel group:
uid=1006(grp_user1) gid=3333(renamed_grp) groups=3333(renamed_grp),10(wheel)
Deleting Local Groups
The groupdel command allows you to delete groups, remove group entries from the group database and updates the group membership of users accordingly.
The -f option can be used with the groupdel command to force the deletion of the group, even if the group still has members.
The below exercise will get you removing the groups created earlier:
Forcibly delete a group:
Delete the renamed_grp group:
sudo groupdel -f renamed_grp
Check the group membership for the grp_user1 user:
id grp_user1
Notice how as we forcibly removed the group which still had members, the group ID of the group remains against the grp_user1 user. It is much better to not use the -f option so the command complains about membership, which can then be resolved before deleting a group:
uid=1006(grp_user1) gid=3333 groups=3333,10(wheel)
Remove the remaining group:
sudo groupdel sys_group
Confirm the group was deleted:
getent group sys_group
This should return nothing, meaning the deletion was successful.
Support DTV Linux
Click on each book below to review & buy on Amazon. As an Amazon Associate, I earn from qualifying purchases.
NordVPN ®: Elevate your online privacy and security. Grab our Special Offer to safeguard your data on public Wi-Fi and secure your devices. I may earn a commission on purchases made through this link.