Group_management

Chapter 7: Group Management Commands

Overview

Linux group management is essential for controlling access to files, directories, and system resources. Groups allow system administrators to organize users and apply consistent permissions across multiple accounts. This chapter covers creating, modifying, and deleting groups, managing group membership, and understanding group-related configuration files. Mastery of group management is fundamental for Linux system administration and is frequently tested in DevOps and SRE interviews.

7.1 Group Concepts

Group Types

┌─────────────────────────────────────────────────────────────────────────┐
│                     GROUP TYPES IN LINUX                               │
├─────────────────────────────────────────────────────────────────────────┤
│                                                                         │
│   ┌─────────────────────────────────────────────────────────────────┐   │
│   │                          Groups                                  │   │
│   ├─────────────────────────────────────────────────────────────────┤   │
│   │                                                                  │   │
│   │   Primary Group (Default Group)                                 │   │
│   │   ┌─────────────────────────────────────────────────────────┐   │   │
│   │   │  - Assigned at user creation                             │   │   │
│   │   │  - Stored in /etc/passwd (GID field)                    │   │   │
│   │   │  - Every user has exactly one primary group             │   │   │
│   │   │  - Also called "login group"                            │   │   │
│   │   │  - Files created get this group as default             │   │   │
│   │   └─────────────────────────────────────────────────────────┘   │   │
│   │                                                                  │   │
│   │   Supplementary Groups (Additional Groups)                     │   │
│   │   ┌─────────────────────────────────────────────────────────┐   │   │
│   │   │  - User can belong to multiple groups                   │   │   │
│   │   │  - Stored in /etc/group                                 │   │   │
│   │   │  - Used for granting shared access                      │   │   │
│   │   │  - Permissions checked via all group memberships        │   │   │
│   │   └─────────────────────────────────────────────────────────┘   │   │
│   │                                                                  │   │
│   │   System Groups                                                 │   │
│   │   ┌─────────────────────────────────────────────────────────┐   │   │
│   │   │  - GID < 1000 (typically)                              │   │   │
│   │   │  - Created for system services                          │   │   │
│   │   │  - Not typically assigned to users                     │   │   │
│   │   │  - Examples: root, sudo, adm, daemon, bin              │   │   │
│   │   └─────────────────────────────────────────────────────────┘   │   │
│   │                                                                  │   │
│   └─────────────────────────────────────────────────────────────────┘   │
│                                                                         │
└─────────────────────────────────────────────────────────────────────────┘

Group Configuration Files

┌─────────────────────────────────────────────────────────────────────────┐
│                  GROUP CONFIGURATION FILES                              │
├─────────────────────────────────────────────────────────────────────────┤
│                                                                         │
│   /etc/group Format:                                                   │
│   ┌─────────────────────────────────────────────────────────────────┐   │
│   │  group_name:password:GID:member_list                            │   │
│   │                                                                  │   │
│   │  Example:                                                        │   │
│   │  sudo:x:27:admin,user1,user2                                   │   │
│   │  └────┘ └┘ └──┘ └──────────────┘                                │   │
│   │   |    |  |   └─ Comma-separated list of members               │   │
│   │   |    |  └───── Group ID (GID)                                 │   │
│   │   |    └──────── Password (x = stored in /etc/gshadow)         │   │
│   │   └─────────────── Group name                                   │   │
│   └─────────────────────────────────────────────────────────────────┘   │
│                                                                         │
│   /etc/gshadow Format:                                                 │
│   ┌─────────────────────────────────────────────────────────────────┐   │
│   │  group_name:password:admin_list:member_list                    │   │
│   │                                                                  │   │
│   │  Example:                                                        │   │
│   │  sudo:*::admin:user1,user2                                    │   │
│   │  └────┘ └─┘ └────┘ └──────────────────┘                         │   │
│   │   |    |   |       └─ Members (comma-separated)                │   │
│   │   |    |   └────────── Administrators (can modify membership)  │   │
│   │   |    └───────────── Encrypted password (or * for locked)      │   │
│   │   └────────────────── Group name                               │   │
│   └─────────────────────────────────────────────────────────────────┘   │
│                                                                         │
│   Related Files:                                                       │
│   ┌─────────────────────────────────────────────────────────────────┐   │
│   │  /etc/passwd    - User information (includes primary GID)      │   │
│   │  /etc/sudoers   - sudo privileges                              │   │
│   │  /etc/skel/     - Skeleton files for new users                 │   │
│   └─────────────────────────────────────────────────────────────────┘   │
│                                                                         │
└─────────────────────────────────────────────────────────────────────────┘

7.2 Creating and Managing Groups

Creating Groups

# ============================================================
# GROUP CREATION COMMANDS
# ============================================================

# Create a new group
groupadd developers

# Create with specific GID
groupadd -g 1500 qa_team

# Create system group (low GID)
groupadd -r system_group

# Create group with custom password (rarely used)
groupadd -p encrypted_password developers

# Create group with custom GID range
groupadd -K GID_MIN=2000 -K GID_MAX=3000 developers

# Verify creation
grep developers /etc/group
getent group developers

# Create group with group password (using gpasswd later)
groupadd admin_group
gpasswd admin_group  # Set password

Modifying Groups

# ============================================================
# MODIFYING GROUPS
# ============================================================

# Change group name
groupmod -n old_name new_name

# Change GID
groupmod -g 2000 developers

# Change GID and name
groupmod -g 2000 -n developers dev_team

# Set group password
gpasswd developers

# Add group administrator
gpasswd -A user1 developers

# Remove group administrator
gpasswd -A "" developers

# Add/remove members
gpasswd -a user1 developers      # Add member
gpasswd -d user1 developers      # Remove member

# Add multiple members
gpasswd -M user1,user2,user3 developers

# Lock/unlock group (prevent members from using newgrp)
gpasswd -r developers            # Remove password
gpasswd -R developers           # Lock group (disable newgrp)

# View group info
getent group developers

Deleting Groups

# ============================================================
# DELETING GROUPS
# ============================================================

# Delete a group
groupdel developers

# Delete group only if no users have it as primary group
groupdel developers

# Force delete (dangerous - may leave files orphaned)
groupdel -f developers

# Verify deletion
grep developers /etc/group
getent group developers

# Note: Cannot delete group if it's someone's primary group
# Must first change user's primary group or delete user

Managing Group Membership

# ============================================================
# GROUP MEMBERSHIP MANAGEMENT
# ============================================================

# Add user to group (usermod -aG is preferred)
usermod -aG developers user1

# Add user to multiple groups
usermod -aG developers,qa,testers user1

# Remove user from group
gpasswd -d user1 developers

# Set group's members (overwrites existing)
gpasswd -M user1,user2 developers

# View user's groups
id user1
groups user1

# View all members of a group
getent group developers
grep developers /etc/group

# Switch to group (newgrp - requires password if set)
newgrp developers

# List all groups on system
getent group
cat /etc/group

# List user's groups (including supplementary)
id
id -n G
groups

7.3 Practical Examples

Creating Development Team Structure

# ============================================================
# PRACTICAL EXAMPLE: DEVELOPMENT TEAM SETUP
# ============================================================

# Step 1: Create department groups
groupadd -f engineering
groupadd -f development
groupadd -f qa
groupadd -f devops

# Step 2: Create role-based groups
groupadd -g 2000 lead_developers
groupadd -g 2001 junior_developers
groupadd -g 2002 qa_engineers
groupadd -g 2003 sre_team

# Step 3: Create project groups
groupadd -g 3000 project_alpha
groupadd -g 3001 project_beta

# Step 4: Set up group administrators
gpasswd -A alice lead_developers
gpasswd -A bob sre_team

# Step 5: Add members to groups
# Engineering lead
usermod -aG engineering,development,lead_developers,project_alpha alice

# Junior developers
usermod -aG development,junior_developers,project_alpha charlie
usermod -aG development,junior_developers,project_beta david

# QA Engineers
usermod -aG qa,qa_engineers eve
usermod -aG qa,qa_engineers,project_alpha frank

# SRE Team
usermod -aG devops,sre_team,project_alpha,project_beta grace

# Step 6: Set up shared directories
mkdir -p /project/alpha
mkdir -p /project/beta
mkdir -p /shared/engineering
mkdir -p /shared/qa

# Step 7: Set group ownership
chown :project_alpha /project/alpha
chown :project_beta /project/beta
chown :engineering /shared/engineering
chown :qa /shared/qa

# Step 8: Set permissions
chmod 2775 /project/alpha   # SetGID for new files
chmod 2775 /project/beta
chmod 2770 /shared/engineering
chmod 2770 /shared/qa

Group-Based File Access Control

# ============================================================
# GROUP-BASED ACCESS CONTROL
# ============================================================

# Create groups for different access levels
groupadd finance_readonly
groupadd finance_write
groupadd finance_admin

# Set up finance directory structure
mkdir -p /finance/{reports,transactions,archive}

# Set group ownership
chown :finance_readonly /finance/reports
chown :finance_write /finance/transactions
chown :finance_admin /finance/archive

# Set permissions (read-only, write, admin)
chmod 750 /finance/reports       # rwx for group
chmod 770 /finance/transactions # rwx for group (full access)
chmod 700 /finance/archive      # only admin

# Add users to appropriate groups
usermod -aG finance_readonly user1
usermod -aG finance_write user2
usermod -aG finance_admin user3

# Set default group for new files
chmod g+s /finance/transactions  # SetGID bit

# Set default permissions (via umask in /etc/profile)
# umask 027 means 750 for directories, 640 for files

7.4 Special Group Features

SetGID and SetUID

# ============================================================
# SETGID AND SETUID FOR GROUP SHARING
# ============================================================

# SetGID (set group ID) on directory
chmod g+s /shared/project
# New files inherit group ownership

# SetGID example with directory
ls -ld /shared/project
# drwxr-sr-x 2 root developers 4096 ... /shared/project

# Verify SetGID is set (check the 's' in permissions)
# -rwsr-xr-x = SetUID (user)
# -rwxr-sr-x = SetGID (group)
# -rwxr-xr-t = Sticky bit (directory)

# Create new file in SetGID directory
touch /shared/project/test.txt
ls -la /shared/project/test.txt
# -rw-r--r-- 1 user1 developers ... /shared/project/test.txt
# Note: group is 'developers', not user's primary group

# Remove SetGID
chmod g-s /shared/project

# SetGID on executable (rarely used)
chmod g+s /usr/bin/application

Group Password and newgrp

# ============================================================
# GROUP PASSWORDS AND NEWGRP
# ============================================================

# Set group password
gpasswd developers
# Enter password for group 'developers'

# Members can join group without password
newgrp developers

# Non-members need password
newgrp developers
# Password: (prompted)

# Group administrator can change password
gpasswd -r developers   # Remove password
gpasswd -R developers  # Lock group

# View group info with password status
getent group developers

# Check if user is member
getent group developers | grep username

7.5 Troubleshooting

# ============================================================
# GROUP TROUBLESHOOTING
# ============================================================

# User can't access group files
# Check: Is user in the group?
id username
groups username
getent group groupname

# User was just added - need to re-login
# Or use: newgrp groupname (for current shell)

# Group doesn't exist but user says they're in it
grep groupname /etc/group
getent group groupname

# "User is already a member"
usermod -aG groupname username
# Error: user 'username' is already a member of 'groupname'

# Cannot delete group - it's someone's primary group
# Check which users have this as primary group
getent passwd | awk -F: '{print $4}' | sort -u | \
    while read gid; do getent group $gid 2>/dev/null; done

# Find users with this as primary GID
getent passwd | awk -F: '$4 == "GID" {print $1}'

# Files owned by deleted group
# Files will have orphaned GID (numeric)
find / -gid 1005 -ls  # Find files with old GID
chown :newgroup file   # Fix ownership

# Check group membership issues
# Nested groups (groups within groups) - Linux doesn't support directly
# Solution: Use sudo groups or implement external tools

7.6 Interview Questions

┌─────────────────────────────────────────────────────────────────────────┐
│                   GROUP MANAGEMENT INTERVIEW QUESTIONS                  │
├─────────────────────────────────────────────────────────────────────────┤
                                                                         │
Q1: What is the difference between primary and supplementary groups?   │
                                                                         │
A1:                                                                       │
- Primary Group:                                                         │
  - Assigned at user creation                                           │
  - Stored in /etc/passwd (4th field - GID)                           │
  - Every user has exactly one primary group                           │
  - Files created get this group by default                           │
                                                                         │
- Supplementary Groups:                                                  │
  - Additional group memberships                                       │
  - Stored in /etc/group                                               │
  - User can belong to multiple supplementary groups                 │
  - Permissions checked for all groups user belongs to                │
                                                                         │
─────────────────────────────────────────────────────────────────────────┤
                                                                         │
Q2: How do you add a user to multiple groups?                          │
                                                                         │
A2:                                                                       │
usermod -aG group1,group2,group3 username                              │
                                                                         │
Note: -a (append) is critical! Without it, -G replaces all groups.    │
                                                                         │
Alternative: gpasswd -a username group                                 │
                                                                         │
─────────────────────────────────────────────────────────────────────────┤
                                                                         │
Q3: What happens when you delete a group that is someone's primary?    │
                                                                         │
A3:                                                                       │
- You CANNOT delete a group if it's someone's primary group            │
- Error: "cannot remove primary group's entry from /etc/group"        │
                                                                         │
Solution:                                                                │
1. Change user's primary group first: usermod -g newgroup username    │
2. Or delete the user first                                            │
3. Then delete the group                                               │
                                                                         │
─────────────────────────────────────────────────────────────────────────┤
                                                                         │
Q4: What is the purpose of SetGID on a directory?                     │
                                                                         │
A4:                                                                       │
- Files created in the directory inherit the directory's group        │
- Useful for shared project directories                                │
- Instead of user's primary group, files get the shared group         │
- Set with: chmod g+s directory                                        │
- Check with: ls -ld directory (shows 's' in group execute)         │
                                                                         │
─────────────────────────────────────────────────────────────────────────┤
                                                                         │
Q5: How do group passwords work in Linux?                             │
                                                                         │
A5:                                                                       │
- Group passwords are stored in /etc/gshadow                           │
- Allow non-members to join group with password                        │
- Accessed via 'newgrp' command                                        │
- Group admins can set/change password with gpasswd                  │
- Passwords are rarely used in practice (use sudo instead)            │
                                                                         │
─────────────────────────────────────────────────────────────────────────┤
                                                                         │
Q6: What is the maximum number of groups a user can belong to?        │
                                                                         │
A6:                                                                       │
- Historically: 16 (NGROUPS_MAX in older kernels)                    │
- Modern Linux: Much higher, typically 65536                          │
- Check: getconf NGROUPS_MAX                                          │
- However, practical limit is lower due to group list in process      │
                                                                         │
─────────────────────────────────────────────────────────────────────────┤
                                                                         │
Q7: Explain the /etc/group file format.                                │
                                                                         │
A7:                                                                       │
group_name:password:GID:member_list                                    │
                                                                         │
- group_name: Name of the group                                        │
- password: x (password stored in /etc/gshadow), or * or empty        │
- GID: Numeric group ID                                                │
- member_list: Comma-separated list of supplementary members         │
                                                                         │
─────────────────────────────────────────────────────────────────────────┤
                                                                         │
Q8: How do you troubleshoot "permission denied" for group access?     │
                                                                         │
A8:                                                                       │
1. Check user's groups: id username                                   │
2. Verify user is member: getent group groupname                      │
3. Check file permissions: ls -la file                                 │
4. Verify group ownership: ls -lg file                                 │
5. Check effective permissions: user needs to be member to use group │
6. For new membership: user must login again or use newgrp            │
7. Check SELinux/AppArmor if enabled                                  │
                                                                         │
─────────────────────────────────────────────────────────────────────────┤
                                                                         │
Q9: What are system groups and how are they different?                │
                                                                         │
A9:                                                                       │
- System groups have GID < 1000 (typically)                           │
- Created for system services (root, sudo, adm, daemon, etc.)        │
- Not typically assigned to regular users                             │
- Used for security and process ownership                             │
- Can be created with: groupadd -r groupname                         │
                                                                         │
─────────────────────────────────────────────────────────────────────────┤
                                                                         │
Q10: What is the difference between gpasswd and usermod for adding     │
     users to groups?                                                   │
                                                                         │
A10:                                                                      │
- usermod -aG: Adds user to supplementary groups (recommended)      │
  - Modifies /etc/group                                               │
  - Persistent change                                                 │
  - Use for permanent membership                                      │
                                                                         │
- gpasswd -a: Also adds members (alternative method)                │
  - Can set group password                                            │
  - Can set group administrators                                      │
  - Works for both membership and password management                │
                                                                         │
Both modify /etc/group. usermod is simpler for basic membership.       │
                                                                         │
└─────────────────────────────────────────────────────────────────────────┘

Quick Reference

# Create group
groupadd developers
groupadd -g 1500 qa_team
groupadd -r system_group

# Modify group
groupmod -n oldname newname
groupmod -g 2000 groupname

# Delete group
groupdel groupname

# Add/remove members
usermod -aG groupname username
gpasswd -a username groupname
gpasswd -d username groupname

# Set members (overwrite)
gpasswd -M user1,user2 groupname

# Group password
gpasswd groupname

# View group info
getent group groupname
id username
groups username

# Switch group
newgrp groupname

Summary

Primary Group: User’s default group in /etc/passwd
Supplementary Groups: Additional memberships in /etc/group
Commands: groupadd, groupmod, groupdel, gpasswd, usermod
Files: /etc/group, /etc/gshadow
SetGID: Inherits group ownership for new files
Group Passwords: Rarely used, stored in /etc/gshadow

Next Chapter

Chapter 8: File Permissions and Ownership

Last Updated: February 2026