In this tutorial we will see how to add users to groups in Linux, looking at the different possibilities (existing or non-existing users), and taking into account also the different types of groups users can belong to (primary and secondary groups).
For this example, Linux Mint 17.03 has been used.
1. How groups are organized
Linux defines the groups in the file /etc/group. If we open it, we will see many rows, with the following format:
adm:x:4:syslog,julen
Which follows this format:
group_name:password:gid:user1,user2,...,userN
- The
group_nameis the name we give to the group when we create it withgroupadd. - The
passwordis optional. Really, this is almost never used. - The
gid(group identifier) is the numerical identifier that each group has. - Finally, the members of the group are listed.
It is possible to modify this file manually, but also dangerous, since it can become corrupt. In any case, there is available a tool for checking the integrity of this file, called grpck. To use it, just execute it with sudo permissions. If the file is correct, no message will be shown. In any case, is not recommendable to modify it manually.
It is necessary to know that Linux distinguishes two types of groups for a user: the primary, and secondaries. The primary group is the one used when the user creates files and directories. Let’s suppose that we have a user named john_doe, whose primary group is developers, but that is enrolled also in a group called testers. Every file created by him:
touch foo
Will be created with with developers as the owner group:
-rw-r--r-- 1 john_doe developers 0 jul 27 12:03 foo
To see to which groups a user belongs to, we can use the groups command, specifying the user name:
groups <username>
Which will return an output with the following format:
<username> : <primary_group>[<secondary_group1>,...,<secondary_groupN>]
That is, the primary group will be the first of the list (or the unique, if the user does not belong to more groups).
2. Non-existing users
When we are going to create a new user, with useradd, we can specify its group(s), so we can create users and assign groups to it with one command.
2.1. Primary group
The primary group is configured with -g (--gid) option. For example, to create a john_doe user with the developers group as primary, we would have to type:
sudo useradd john_doe -g developers
(Remember to always assign a password to each new user, with passwd command.)
We can check that it has been created as expected, using groups command:
groups john_doe
Which would return:
john_doe : developers
2.1.1. Changing default configuration of primary group assignment
If no primary group is specified, the assignation of the primary group will depend on the configuration defined in /etc/login.defs. If the variable USERGROUP_ENAB is set to yes, the primary group of the user will be a new group with the same name as the username. If the variable is set to no, the primary group of the user will be the one specified in /etc/default/useradd, in the GROUP variable.
So, if we assume that every user created in the future has to have a specific group as primary, e.g., developers, we first have to edit the /etc/login.defs file:
USERGROUP_ENAB no
The second and last step is to specify the group in /etc/default/useradd file:
GROUP=developers
2.2. Secondary groups
The option for assigning secondary groups to the user that is going to be created is -G (--groups), specifying the list of groups separated by commas, without whitespaces. For example:
sudo useradd john_doe -G developers,testers
Would create the john_doe user, with developers and testers groups as secondary.
john_doe : john_doe developers testers
3. Existing users
The usermod command, as its name suggests, is for modifying users, in all its facets, including their groups.
For the modification of groups, it works exactly as with useradd: -g for modifying the primary group, and -G for the secondary ones.
3.1. Primary group
Changing the primary group of an existing user is pretty simple, we just have to use the -g option for the useradd, as told before:
sudo usermod john_doe -g developers # Now primary group of 'john_doe' is 'developers'.
The manual of useradd warns about changing the primary group of a user:
Any file from the user’s home directory owned by the previous primary group of the user will be owned by this new group.
The group ownership of files outside of the user’s home directory must be fixed manually.
This manual fixing for the whole disk can be easily done with find. Let’s suppose that we have changed john_doe user’s primary group from john_doe to developers, and that we want to change the owner of every file to this one. We could execute the following:
sudo find / -group john_doe -exec chgrp developers {} \;Finding every file in / and subdirectories (i.e., all the disk) that has john_doe as group owner, executing for each result a chgrp to change to group owner to developers.
3.2. Secondary groups
Let’s suppose that we have a john_doe user with the following output for groups:
john_doe : john_doe
Now, we want to assign some groups, developers and testers, to the existing john_doe user. We would just have to execute the usermod command with the -G option, specifying the groups:
sudo usermod john_doe -G developers,testers
If we now check the groups with groups, we will see:
john_doe : john_doe developers testers
According to the manual of usermod, this is what happens when using -G option:
[…] If the user is currently a member of a group which is not listed, the user will be removed from the group. This behavior can be changed via the -a option, which appends the user to the current supplementary group list.
In the previous case, we can see that the group that john_doe was already belonging to (the primary), has not disappeared, but this is just because it was the primary group. Note that, with the current groups for john_doe, the following:
sudo usermod john_doe -G another_group
john_doe would be removed from developers and testers groups:
john_doe : john_doe another_group
To append groups, use the -a (--append) option, as the manual suggests.
4. Giving users sudo permissions
Users are given sudo permissions by just being added to sudo group. So, the only thing we have to do is to add the users to sudo group, as same as we have been seeing in this example:
sudo useradd john_doe -G sudo # At creation time. sudo usermod john_doe -G sudo -a # For existing user.
5. Summary
This example has shown how to add users to groups, for both non-existing, and already existing users, taking into account also the differences between the primary group and the secondary ones, considering also the side effects of a primary group change, and proposing an easy fix to them.
