Adding, Modifying and Deleting groups

City College of San Francisco - CS260A
Unix/Linux System Administration
Module: Users and Authentication

The traditional way to add (or remove) a group is to edit the /etc/group file. Although this is still possible, it is more common today to use a tool. This can be either the command-line program groupadd or a GUI tool to manage users and groups, which is a GUI interface to groupadd and useradd.

Adding a group

groupadd creates a new group with no members, named as indicated. As we know, group names are superfluous; all that matters is the group id. This group id is derived in one of the following ways:

from the gid indicated on the command-line
using the highest used user group id plus one if a user group is being created
using the highest system group id plus one if a system group is being created.

groupadd [ -r ] [ -g gid ] groupname

-r add a system instead of a user group.
-g gid add a group with this group id

groupadd will refuse to add a group using an existing groupname or gid. (There is a way to force this, but I can't see any reason you would want to.)

System group ids have lower values than user group ids. The dividing line is the value of GID_MIN in /etc/login.defs.

Users are added to existing groups using useradd or usermod. These programs are discussed in the following section on adding users.

Modifying a group

The command groupmod can be used to modify the gid (using -g newgid), the name (using -n newgname) or the password (using -p encryptedpass) of an existing group named gname :

groupmod [ -n newgname | -g newgid ] [ -p encryptedpass ] gname

Deleting a group

On the commandline, groupdel is used to delete a group. Besides deleting the line in /etc/group, groupdel ensures that the group is not the default group of any existing user. If it is, the group will not be removed. You must first either delete those users or change their default group.

groupdel group

Remember that files, as well as users, belong to groups. When a group is deleted, any files in that group will refer to a non-existent group. The group listed with those files will appear as the group id, since it cannot be translated to a group name. If that gid is later reused by groupadd, the files will suddenly be in that group. This can be a security issue. Before (or after) deleting a group you should always scan the filesystem for files that are in that group and change their group.

Administering a group

A seldom-used facility exists for managing a group using a special group administrator. The most common use of this facility is for sharing data between users on a project. It makes use of the group password when shadow passwords are being used. It proceeds like this:

a special-purpose group grp is created by root using groupadd grp
a user is chosen to be the group administrator. This user (gadmin) is set for the group grp by root using the command

gpasswd -A
      gadmin grp

The group administrator can now add and delete users from the group using gpasswd -a or gpasswd -d.

This facility can be used in conjunction with set-gid permissions to share data in a directory between group members:

a directory for the group is created, it is placed in the group, and its permissions are set to 2770 (or something similar).
members of the group can now create and remove data in the directory, and newly-created data is placed in the directory's group. If each member sets his umask to 7, every member should be able to read and write each piece of data created.

This same facility can be provided using default ACLs, as we discussed early in the course.

Preview question: How many user accounts exist on your linux system. How can you distinguish a user account from a system account? Can you find any accounts whose last field in /etc/passwd is the nologin command? What do you think this means?

This page was made entirely with free software on linux:
the Mozilla Project and Openoffice.org