Table of Contents
Understanding Linux Groups in Practice
Groups let you manage permissions for sets of users at once. In this chapter, you’ll work with the actual tools and files used to manage groups on a Linux system and see how they interact with users and permissions.
Types of Groups and Common Use Cases
Linux mainly distinguishes:
- Primary group
- Every user has exactly one primary group.
- Usually has the same name and ID as the user (on modern desktop/server distros).
- Files created by the user typically inherit this primary group.
- Supplementary (secondary) groups
- A user can be a member of many supplementary groups.
- Used to grant additional access (e.g.
docker,sudo,audio,video).
Typical use cases:
- Access to shared directories
- Example: a
projectxgroup so only project team members can read/write/srv/projectx. - Access to system resources
- Audio devices:
audio - Serial/USB devices:
dialout,plugdev - Administrative tasks:
sudo,wheel - Separation by department/function
dev,ops,finance,hretc. for internal company structures.
Inspecting Group Information
Viewing Group Definitions
Groups are primarily defined in /etc/group. To view all groups:
cat /etc/groupExample lines:
root:x:0:
sudo:x:27:alice,bob
developers:x:1001:alice,carolFields are colon-separated:
- Group name (
sudo) - Password placeholder (
xor empty; usually not used directly) - Group ID (GID) (
27) - Comma-separated list of members (
alice,bob)
To print a specific group:
getent group developers
getent is preferable on systems using LDAP/SSSD/other directory services because it shows all configured sources, not only /etc/group.
Checking Group Membership for a User
To see groups for the current user:
groupsFor a specific user:
groups alice
id alice
id shows both user and group IDs, including primary group and supplementary groups.
Example:
id aliceOutput:
uid=1000(alice) gid=1000(alice) groups=1000(alice),27(sudo),1001(developers)gid=1000→ primary groupgroups=...→ primary + supplementary groups
Creating and Removing Groups
Creating a Group
Use groupadd:
sudo groupadd developersTo specify a particular GID:
sudo groupadd -g 1050 qaUseful options (may vary slightly by distro):
-g GID— explicit group ID-r— create a system group (low GID, typically non-login/service-related)
Example:
sudo groupadd -r backupDeleting a Group
Use groupdel:
sudo groupdel developersNotes:
- This does not remove files owned by that group; they will still have the old GID (which may later be reused).
- Ensure no essential processes or services depend on that group before deleting it.
To find files using a group before deletion:
sudo find / -group developers 2>/dev/nullModifying Existing Groups
Changing Group Name
Use groupmod:
sudo groupmod -n devteam developers-n new_name— new group name.
Check result:
getent group devteamChanging GID
sudo groupmod -g 1055 devteamAfter changing GID, you should update file ownerships that still use the old GID:
sudo find / -gid 1001 -exec chgrp -h 1055 {} +Or using the new name:
sudo find / -group devteam -exec chgrp -h devteam {} +Use with care, especially on multi-user systems or production servers.
Adding and Removing Users from Groups
Managing membership is the most common group administration task.
Adding an Existing User to a Group
Using usermod:
sudo usermod -aG developers aliceExplanation:
-a— append (without this, existing supplementary groups are replaced).-G— list of supplementary groups.
Always include -a when modifying secondary groups for an existing user.
You can add to multiple groups at once:
sudo usermod -aG sudo,developers,qa aliceSetting the Primary Group
To change a user’s primary group:
sudo usermod -g devteam aliceNotes:
- This does not automatically change group ownership of existing files.
- Newly created files by
alicewill usedevteamas their group (subject to directorysetgidbehavior).
Remove User From a Group (Safe Method)
Because forgetting -a with usermod is dangerous, many admins prefer using gpasswd or direct editing.
With gpasswd:
sudo gpasswd -d alice developers-d USER GROUP— remove user from supplementary group.
On some systems, you can also use deluser:
sudo deluser alice developers(Availability and syntax vary by distro.)
Effective Membership vs. Group Changes
- Group changes typically apply only to new login sessions.
- If you add a user to
dockerorsudo, they often need to: - Log out and log in again, or
- Restart their SSH session, or
- Use
newgrp(see below) to change active group in an existing shell.
Managing Group Membership Interactively with `gpasswd`
gpasswd is the traditional tool for administratively managing /etc/group.
Common uses:
- Add user to group:
sudo gpasswd -a alice developers- Remove user from group:
sudo gpasswd -d alice developers- Set an administrative user for a group:
sudo gpasswd -A adminuser developers- Set the list of members explicitly:
sudo gpasswd -M alice,carol developers
On modern systems, group passwords and group admins are rarely used, but you might still encounter gpasswd in documentation or legacy scripts.
Temporary Group Changes with `newgrp`
newgrp allows you to start a new shell with a different effective primary group.
Examples:
newgrp developersNow:
- Your primary group in this shell is
developers. - New files you create will be owned by group
developers(subject to directory permissions).
You can return to your original primary group with:
exitUse cases:
- When collaborating in a shared group directory with specific
umask/setgidsettings. - To immediately take advantage of new group membership without logging out entirely (though this is limited compared to fully re-logging in).
Working with Group-Specific Access
Once groups are created and users are assigned, you typically use file and directory permissions to enforce access. Here we focus on group-related aspects.
Setting Group Ownership
To change the group of a file or directory:
sudo chgrp developers /srv/projectxRecursively:
sudo chgrp -R developers /srv/projectx
Combine with chmod to assign group access:
sudo chmod -R 770 /srv/projectxHere:
- Owner + group: full access.
- Others: no access.
Ensuring New Files Belong to the Group (setgid on Directories)
On shared directories, you often want all new files to be owned by the same group. You can use the setgid bit on a directory:
sudo chgrp -R developers /srv/projectx
sudo chmod g+s /srv/projectxNow:
- Files created in
/srv/projectxinherit the directory’s group (developers) instead of the creator’s primary group. - Useful for collaborative workspaces.
You can see the s in directory permissions:
ls -ld /srv/projectxExample:
drwxrws--- 5 root developers 4096 ... /srv/projectxsin the group part (rws) indicates setgid is set for the directory.
Group-Based Shared Directories: A Typical Pattern
A common pattern for team collaboration:
sudo groupadd projectx
sudo mkdir /srv/projectx
sudo chgrp projectx /srv/projectx
sudo chmod 2770 /srv/projectx
sudo usermod -aG projectx alice
sudo usermod -aG projectx bobExplanation:
2770→2sets setgid on the directory,770isrwxrwx---.- All files created there will belong to group
projectx. - Only members of
projectx(and root) can access it.
System vs Regular Groups
Most distros reserve a range of low GIDs for system groups used by services and daemons. You’ll see many such groups in /etc/group, for example:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog,alice
lp:x:7:
mail:x:8:
www-data:x:33:Guidelines:
- Avoid using low-numbered GIDs for human users/groups.
- Don’t remove or rename system groups you don’t fully understand.
- Use higher GIDs (automatically chosen by
groupadd) for user groups.
Script-Friendly Group Management
On servers and in automation, you’ll often need idempotent operations (safe to run repeatedly).
Examples:
Ensure Group Exists
if ! getent group developers >/dev/null; then
sudo groupadd developers
fiEnsure User Is in a Group
if ! id -nG alice | grep -qw developers; then
sudo usermod -aG developers alice
fiThese patterns are useful in shell scripts, provisioning tools, or when manually hardening/setting up a system.
Troubleshooting Group-Related Issues
Common problems and how to investigate them:
- User still doesn’t have expected access after being added to a group
- Confirm membership:
id alice- Ensure they logged out and back in (or restarted SSH).
- Check the directory/file permissions:
ls -ld /path/to/resource- Permissions look correct, but access is denied
- Check for:
- Other permission constraints (ACLs, SELinux/AppArmor).
- Wrong group assigned to the resource.
- Use
namei -l /path/to/resourceto inspect permission on each path component. - User lost access after running
usermod -G -Gwithout-aoverwrote all supplementary groups.- Compare with another similar user, or check history.
- Re-add the user to required groups.
- Files show numeric GIDs instead of names
- The group was deleted or not known to the system.
- Check
/etc/groupandgetent group. - Recreate the group with the same GID if needed:
sudo groupadd -g 1001 developersSummary of Key Commands
Quick reference:
- View groups:
getent groupgetent group NAMEid USERgroups USER- Create/delete groups:
sudo groupadd NAMEsudo groupdel NAME- Modify group:
sudo groupmod -n NEWNAME OLDNAMEsudo groupmod -g NEWGID NAME- Manage membership:
sudo usermod -aG GROUP USERsudo gpasswd -a USER GROUPsudo gpasswd -d USER GROUP- Work with group-based permissions:
chgrp [ -R ] GROUP PATHchmod g+s DIR(setgid on directory)
Mastering these tools lets you build clean, maintainable permission structures and avoid many common security and access problems on multi-user Linux systems.