when changing groups for users the user needs to re-login to activate the changes
Public and Private groups
CentOS / Red Hat / Debian8 / UBuntu / Raspbian, use a private group scheme where for every new user a group is created with the same name.
If we create a user named bob then a corresponding group also named bob is created with the user bob as the only member.
(ownership of user’s newly created home directory will be set bob:bob (in general: username:username))
SUSE12 use a public group system where newly created users all belong to a group called “users”.
(ownership of user’s newly created home directory will be set bob:users (in general: username:users))
If you using a Red Hat style distribution with private groups then using the -N switch with useradd will disable the private group for that user and they will belong to the normal users group.
useradd -N joe : will create the user joe as a member of the users group
useradd joe : will create the user and the group joe
Without the -N option Red Hat systems use private groups, -N meaning “No User Group”
Per default on all distributions – users are allowed to cd into the home of others and list all files.
(no read no write just filenames “meta” data can be very informative)
# if you do not want this try: chmod 700 /home/* # so far no problems with those settings
show all existing groups:
# list all groups of the system cat /etc/group
show groups of current logged in user
user@suse:~> groups users user@suse:~> id uid=1000(user) gid=100(users) Gruppen=100(users) user@debian:~$ groups user cdrom floppy audio dip video plugdev netdev user@debian:~$ id uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev) [user@centos ~]$ groups user [user@centos ~]$ id uid=1000(user) gid=1000(user) Gruppen=1000(user) Kontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
add user to group
usermod -a -G users user; # add user "user" to group "users" usermod -a -G sudo bob; # allows user bob to run processes with root-privileges temporarily
show default primary group
this is the group – that when new files are created under the user – will automatically be owned by this default-primary-group of that user.
id -gn; # show default primary group usermod -g primarygroupname username; # change default primary group
the default primary group setting is stored in /etc/passwd
right after the UserID (1000) you will find the GroupID (121) of the primary group.
root@Debian8:/home/user# cat /etc/passwd|grep user user:x:1000:121:user,,,:/home/user:/bin/bash cat /etc/group|grep 121 lightdm:x:121:
create new group – add new group to the system
groupmod --new-name NEW_GROUP_NAME OLD_GROUP_NAME
add user to group
# this should work across Debian/Ubuntu/CentOS/RedHat usermod -a -G GROUPNAME USERNAME; # example: usermod -a -G test user; [root@centos ~]# groups user; # list all groups of user user : user test # alternatively: [root@centos ~]# su - user; # change roles from root to user [user@centos ~]$ groups; # checkout groups of that user, now user "user" belongs to group "test" user test # alternative adduser group; # add username to the group
remove user from group
gpasswd -d user group;
config file file /etc/gshadow
The /etc/gshadow file is readable only by the root user and contains an encrypted password for each group, as well as group membership and administrator information.
Just as in the /etc/group file, each group’s information is on a separate line.
Each of these lines is a colon delimited list including the following information:
- Group name — The name of the group. Used by various utility programs as a human-readable identifier for the group.Encrypted password — The encrypted password for the group. If set, non-members of the group can join the group by typing the password for that group using the newgrp command.If the value of this field is !, then no user is allowed to access the group using the newgrp command.A value of !! is treated the same as a value of ! — however, it also indicates that a password has never been set before. If the value is null, only group members can log into the group.
- Group administrators — Group members listed here (in a comma delimited list) can add or remove group members using the gpasswd command.
- Group members — Group members listed here (in a comma delimited list) are regular, non-administrative members of the group.
Here is an example line from /etc/gshadow:
setting passwords for groups
just as with user accounts – you can “login” – become temporary member of a certain group.
i could think of one usecase – certain groups may have access allowed for certain services.
sudo – group members may run comands as root.
lpadmin – group members may setup / modify / delete printers in the CUPS printing system.
so with gpasswd you can asign a password to a group and only users that know this password can modify printers…
example test drive:
suse:~ # gpasswd test; # set a password for the group "test" Passwort für die Gruppe test wird geändert. Neues Passwort: Passwort wiederholen: user@suse:~> groups; # show current group membership, only 2x groups named users user@suse:~> newgrp test; # login to group "test" Passwort: user@suse:~> groups; # show current group membership, only 3x groups, try this under windows HOLY MOLY :-D test named users user@suse:~> exit; # logout of current group or bash or account exit user@suse:~> groups; # show current group membership, only 2x groups again named users
suse manpage newgrp: newgrp.man.txt