Groups are an essential part of how discretionary access control (DAC) is implemented on Linux and, in general, on any Unix-based operating system. The creation, modification, and removal of groups are relatively straightforward operations which can be carried out using some utilities installed by default.
In this tutorial we learn how to create, modify and delete groups on Linux, using the groupadd, groupmod and groupdel utilities.
In this tutorial you will learn:
- How to create a group on Linux using groupadd
- How to check which users are members of a group
- How to modify a group using groupmod
- How to delete a group using groupdel
| Category | Requirements, Conventions or Software Version Used |
|---|---|
| System | Distribution agnostic |
| Software | groupadd, groupmod, groupdel |
| Other | Root privileges |
| Conventions | # – requires given linux-commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux-commands to be executed as a regular non-privileged user |
Primary vs supplementary groups
Before we see how to create, modify and delete groups on Linux, we should clarify the difference between primary and supplementary/additional groups, and why it exists. Nowadays, practically all Linux distributions adopt the UPG (User Private Group) policy: each time a user is added to the system, it becomes a member of a group named after it, which is created automatically: this is the user’s primary group. All the files created by a user belong to it and its primary group.
The adoption of this policy makes possible the usage of a umask of
002, which makes sure directories are created with mode 775 and files with mode 664: this grants reading and writing permissions on them both to the user and the group they belong to, and, together with the use of the setgid bit, simplifies setting up shared directories for collaboration.
As we said, the primary group of a user is automatically created when the user is added to the system. Additional groups can be easily created, modified and deleted using the “groupadd”, “groupmod” and “groupdel” utilities. Let’s see how.
Creating a group
In order to create a group on Linux we use the groupadd utility. The syntax of the command is very simple: in the most basic case, we just pass the name of the group we want to create as argument. Suppose, for example, we want to create a new group called “linuxconfig”. We would run:
$ sudo groupadd linuxconfig
An entry for the newly created group is added to the /etc/group file:
linuxconfig:x:1001:
Each entry in /etc/group has 4 fields: the first one contains the group name, the second the group password (most of the time passwords are not used for groups, therefore this field is empty); the third field contains the GID (the Group ID – 1001 in this case), and the fourth hosts the comma-separated list of the group members (if the group is the primary group of a user, said user is not listed in this field).
Manually assigning the Group ID (GID)
A GID is automatically assigned to a group when it is created. The default policy is to assign the group the lowest available GID. The range of GIDs which can be assigned for non-system groups are defined in the /etc/login.defs file, via the GID_MIN and GID_MAX variables. The value of the former is usually 1000, while the latter is generally set to 60000:
$ grep -E "^GID_(MIN|MAX)" /etc/login.defs GID_MIN 1000 GID_MAX 60000
If we want to provide a specific GID when creating a group, we can invoke “groupadd” with the
-g (--gid) option, passing the numeric ID we want to use as argument. In the example below, we create a new group called “tux” and manually assign it 1002 as GID:
$ sudo groupadd -g 1002 tux
Creating a system group
On Unix-based systems, and therefore also on Linux, we distinguish between system and non-system groups, just like we do for users. System groups are not intrinsically different from normal groups: the difference is that they are assigned GIDs from a different range, and they are mainly used for system services. To create a system group, we use “groupadd” with the-r option (short for --system):
$ sudo groupadd -r tux
The range of GIDs automatically assigned to system groups is defined via the SYS_GID_MIN and SYS_GID_MAX variables:
$ grep -E "^SYS_GID_(MIN|MAX)" /etc/login.defs SYS_GID_MIN 201 SYS_GID_MAX 999
Populating the group on creation
When we create a group, we can specify which users should be part of it. All we have to do, is to use the -U (--users) option, and pass a comma-separated list of usernames as argument; for the command to succeed the specified users must exist. Just as an example, to create the “tux” group and add the “foo” and “bar” users as members, we would run:
$ sudo groupadd -U foo,bar tux
Modifying a group
To modify the definition of a group, we use the groupmod utility, and we use it similarly to groupadd. Let’s see some examples.
Changing the GID of a group
In order to change the GID of a group, we invoke the groupmod utility with the -g option, passing the new GID we want to use as its argument. To change the GID of the “tux” group to 1006, for example, we would run:
$ sudo groupmod -g 1006 tux
When we change the GID of a group which is used as a primary group for a user, that user definition is updated accordingly. Suppose, for example, we created a user called “tim”, whose primary group is “tim”; both the “tim” user and “tim” group have been assigned an ID of 1002:
$ grep tim /etc/group tim:x:1002: $ grep tim /etc/passwd tim:x:1002:1002::/home/tim:/bin/bash
If we change the GID of the “tim” group, to, say, 1003, the definition of the user is automatically updated:
# We change the GID of the "tim" group to 1003 $ sudo groupmod -g 1003 tim # Verify the user entry has been updated $ grep tim /etc/passwd tim:x:1002:1003::/home/tim:/bin/bash
Files associated with the old group GID, however, must be manually updated to reflect the change.
Changing the group name
To change the name of a group, the procedure is similar: we simply use the -n option which accepts the new group name as argument. Supposing we want to rename the “tux” group to “bar”, we would run:
$ sudo groupmod -n bar tux
Changing the members of the group
To redefine the members of a group, we use the-U option the same way we did when using the “groupadd” utility. Notice that when this option is used, existing members will be removed from the group if they are not explicitly specified in the list.
Deleting a group
In case we want to delete a group, we need to use the groupdel utility. To delete a group, we just pass its name as argument:
$ sudo groupdel tux
If the group we try to remove is the primary group of a user, the command will fail. In the next example, we try to remove the “tim” group, which is the primary group of the “tim” user:
$ sudo groupdel tim groupdel: cannot remove the primary group of user 'tim'
I cannot see a reasonable case in which it would be useful to remove the primary group of a user: when a user is deleted, its primary group is deleted with it, unless it has no other members (and it really shouldn’t). If, for some reason, we still want to remove the primary group, however, the command can be forced by using the
-f (--force) option:
$ sudo groupdel -f tim
After such operation is performed, the user will still be associated with the GID of the deleted primary group. To remove this association, we need to assign a new primary group to the user. We can do it by running:
$ sudo usermod -g tim
If we remove a group which is not used as a primary group for any user, and it has members, those members are automatically removed from that group.
Conclusions
In this tutorial we learned the difference between primary and additional groups on Linux. We saw how to add a group and how to list its members, how to modify it and how to remove it using the groupadd, groupmod and groupdel utilities, respectively. A group can also be managed “manually”, by directing modifying the /etc/group file, using the “vigr” utility: we discussed this in a previous tutorial.
