in general:

when changing groups for users the user needs to re-login to activate the changes

Public and Private groups

CentOS / Red Hat / Debian8 / UBuntu / Raspbian, use a private group scheme where for every new user a group is created with the same name.

If we create a user named bob then a corresponding group also named bob is created with the user bob as the only member.

(ownership of user’s newly created home directory will be set bob:bob (in general: username:username))

SUSE12 use a public group system where newly created users all belong to a group called „users“.

(ownership of user’s newly created home directory will be set bob:users (in general: username:users))

If you using a Red Hat style distribution with private groups then using the -N switch with useradd will disable the private group for that user and they will belong to the normal users group.

For example:

useradd -N joe : will create the user joe as a member of the users group

useradd joe : will create the user and the group joe

Without the -N option Red Hat systems use private groups, -N meaning “No User Group”

Per default on all distributions – users are allowed to cd into the home of others and list all files.

(no read no write just filenames „meta“ data can be very informative)

# if you do not want this try:
chmod 700 /home/*

# so far no problems with those settings

show all existing groups:

# list all groups of the system
cat /etc/group

show groups of current logged in user

user@suse:~> groups
users

user@suse:~> id
uid=1000(user) gid=100(users) Gruppen=100(users)

user@debian:~$ groups
user cdrom floppy audio dip video plugdev netdev

user@debian:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)

[user@centos ~]$ groups
user

[user@centos ~]$ id
uid=1000(user) gid=1000(user) Gruppen=1000(user) Kontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

add user to group

usermod -a -G users user; # add user "user" to group "users"

usermod -a -G sudo bob; # allows user bob to run processes with root-privileges temporarily

show default primary group

this is the group – that when new files are created under the user – will automatically be owned by this default-primary-group of that user.

id -gn; # show default primary group

usermod -g primarygroupname username; # change default primary group

the default primary group setting is stored in /etc/passwd

right after the UserID (1000) you will find the GroupID (121) of the primary group.

root@Debian8:/home/user# cat /etc/passwd|grep user
user:x:1000:121:user,,,:/home/user:/bin/bash

cat /etc/group|grep 121
lightdm:x:121:

create new group – add new group to the system

groupadd GROUP_NAME

rename group

groupmod --new-name NEW_GROUP_NAME OLD_GROUP_NAME

delete group

groupdel GROUP_NAME

add user to group

# this should work across Debian/Ubuntu/CentOS/RedHat

usermod -a -G GROUPNAME USERNAME;

# example:
usermod -a -G test user;

[root@centos ~]# groups user; # list all groups of user
user : user test

# alternatively:

[root@centos ~]# su - user; # change roles from root to user
[user@centos ~]$ groups; # checkout groups of that user, now user "user" belongs to group "test"
user test

# alternative
adduser group; # add username to the group

remove user from group

gpasswd -d user group;

config file file /etc/gshadow

The /etc/gshadow file is readable only by the root user and contains an encrypted password for each group, as well as group membership and administrator information.

Just as in the /etc/group file, each group’s information is on a separate line.

Each of these lines is a colon delimited list including the following information:

  • Group name — The name of the group. Used by various utility programs as a human-readable identifier for the group.Encrypted password — The encrypted password for the group. If set, non-members of the group can join the group by typing the password for that group using the newgrp command.If the value of this field is !, then no user is allowed to access the group using the newgrp command.A value of !! is treated the same as a value of ! — however, it also indicates that a password has never been set before. If the value is null, only group members can log into the group.
  • Group administrators — Group members listed here (in a comma delimited list) can add or remove group members using the gpasswd command.
  • Group members — Group members listed here (in a comma delimited list) are regular, non-administrative members of the group.

Here is an example line from /etc/gshadow:

groupname:!!:administrator1,administrator2,administrator3:member1,member2,juan,bob

src: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Introduction_To_System_Administration/s3-acctsgrps-gshadow.html

setting passwords for groups

just as with user accounts – you can „login“ – become temporary member of a certain group.

holy moly – this feature does not seem to be used a lot 😀 and according to the unix philosophy – maybe it should be removed.

i could think of one usecase – certain groups may have access allowed for certain services.

sudo – group members may run comands as root.

lpadmin – group members may setup / modify / delete printers in the CUPS printing system.

so with gpasswd you can asign a password to a group and only users that know this password can modify printers…

example test drive:

suse:~ # gpasswd test; # set a password for the group "test"
Passwort für die Gruppe test wird geändert.
Neues Passwort:
Passwort wiederholen:

user@suse:~> groups; # show current group membership, only 2x groups
named users
user@suse:~> newgrp test; # login to group "test"
Passwort:
user@suse:~> groups; # show current group membership, only 3x groups, try this under windows HOLY MOLY :-D
test named users
user@suse:~> exit; # logout of current group or bash or account
exit
user@suse:~> groups; # show current group membership, only 2x groups again
named users

manpages:

suse manpage newgrp: newgrp.man.txt

admin