Chapter 21. Editing user groups using the command line

A user belongs to a certain set of groups that allow a logical collection of users with a similar access to files and folders. You can edit the primary and supplementary user groups from the command line to change the user’s permissions.

21.1. Primary and supplementary user groups

A group is an entity which ties together multiple user accounts for a common purpose, such as granting access to particular files.

On Linux, user groups can act as primary or supplementary. Primary and supplementary groups have the following properties:

Primary group
  • Every user has just one primary group at all times.
  • You can change the user’s primary group.
Supplementary groups
  • You can add an existing user to an existing supplementary group to manage users with the same security and access privileges within the group.
  • Users can be members of zero or multiple supplementary groups.

21.2. Listing the primary and supplementary groups of a user

You can list the groups of users to see which primary and supplementary groups they belong to.

Procedure

  • Display the names of the primary and any supplementary group of a user:

    $ groups user-name

    Replace user-name with the name of the user. If you do not provide a user name, the command displays the group membership for the current user. The first group is the primary group followed by the optional supplementary groups.

    Example 21.1. Listing of groups for user sarah:

    $ groups sarah

    The output displays:

    sarah : sarah wheel developer

    User sarah has a primary group sarah and is a member of supplementary groups wheel and developer.

    Example 21.2. Listing of groups for user marc:

    $ groups marc

    The output displays:

    marc : marc

    User marc has only a primary group marc and no supplementary groups.

21.3. Changing the primary group of a user

You can change the primary group of an existing user to a new group.

Prerequisites:

  1. root access
  2. The new group must exist

Procedure

  • Change the primary group of a user:

    # usermod -g group-name user-name

    Replace group-name with the name of the new primary group, and replace user-name with the name of the user.

    Note

    When you change a user’s primary group, the command also automatically changes the group ownership of all files in the user’s home directory to the new primary group. You must fix the group ownership of files outside of the user’s home directory manually.

    Example 21.3. Example of changing the primary group of a user:

    If the user sarah belongs to the primary group sarah1, and you want to change the primary group of the user to sarah2, use:

    # usermod -g sarah2 sarah

Verification steps

  • Verify that you changed the primary group of the user:

    $ groups sarah

    The output displays:

    sarah : sarah2

21.4. Adding a user to a supplementary group from the command line

You can add a user to a supplementary group to manage permissions or enable access to certain files or devices.

Prerequisites

  • root access

Procedure

  • To add a group to the supplementary groups of the user, use:

    # usermod --append -G group-name username

    Replace group-name with the name of the group, and replace username with the name of the user.

    Example 21.4. Adding a user to a supplementary group

    To add the user sysadmin to the group system-administrators, use:

    # usermod --append -G system-administrators sysadmin

Verification steps

  • To verify the new groups is added to the supplementary groups of the user sysadmin, use:

    # groups sysadmin

    The output displays:

    sysadmin : sysadmin system-administrators

21.5. Removing a user from a supplementary group

You can remove an existing user from a supplementary group to limit their permissions or access to files and devices.

Prerequisites

  • root access

Procedure

  • Remove a user from a supplementary group:

    # gpasswd -d user-name group-name

    Replace user-name with the name of the user, and replace group-name with the name of the supplementary group.

    Example 21.5. Removing user from a supplementary group

    If the user sarah has a primary group sarah2, and belongs to the secondary groups wheel and developers, and you want to remove that user from the group developers, use:

    # gpasswd -d sarah developers

Verification steps

  • Verify that you removed the user sarah from the secondary group developers:

    $ groups sarah

    The output displays:

    sarah : sarah2 wheel

21.6. Changing all of the supplementary groups of a user

You can overwrite the list of supplementary groups that you want the user to remain a member of.

Prerequisites

  • root access
  • The supplementary groups must exist

Procedure

  • Overwrite a list of user’s supplementary groups:

    # usermod -G group-names username

    Replace group-names with the name of one or more supplementary groups. To add the user to several supplementary groups at once, separate the group names using commas and no intervening spaces. For example: wheel,developer.

    Replace user-name with the name of the user.

    Important

    If the user is currently a member of a group that you do not specify, the command removes the user from the group.

    Example 21.6. Changing the list of supplementary groups of a user

    If the user sarah has a primary group sarah2, and belongs to the supplementary group wheel, and you want the user to belong to three more supplementary groups developer, sysadmin, and security, use:

    # usermod -G wheel,developer,sysadmin,security sarah

Verification steps

  • Verify that you set the list of the supplementary groups correct:

    # groups sarah

    The output displays:

    sarah : sarah2 wheel developer sysadmin security