Managing Linux Users and Groups Effectively

ByEric Ma Posted on Updated on

Linux is a multi-user operating system where multiple users can run processes simultaneously. Groups provide a mechanism to efficiently manage permissions for collections of users without having to set individual permissions for each account.

What are user groups?

A user group is a collection of user accounts that can be assigned permissions as a unit. This simplifies administration significantly — instead of granting access to individual users, an admin grants access to a group, and all members automatically receive those permissions.

Every Linux user belongs to at least one primary group (usually created with the same name as the user). Users can also be added to additional secondary groups. This is especially useful for managing elevated privileges: the sudo group (Debian/Ubuntu), wheel group (Fedora/RHEL/CentOS/Rocky), or doas group (on systems using doas instead of sudo) determines which users can run privileged commands.

Managing groups

List all groups

To see all groups on the system:

$ cat /etc/group

Or use getent for better formatting:

$ getent group

To see groups a specific user belongs to:

$ id username
# or
$ groups username

Create a group

# groupadd groupname

To create a system group (typically for daemons, uses a lower GID):

# groupadd -r groupname

Delete a group

# groupdel groupname

Note: You cannot delete a group if it’s a user’s primary group. Remove or reassign that user first.

Delete a group and reassign its files

If you need to delete a group and transfer ownership of its files:

# find / -gid <gid> -exec chgrp -h newgroup {} \;
# groupdel groupname

Managing group membership

Add a user to a group

# usermod -aG groupname username

The -a flag (append) ensures you’re adding to existing groups, not replacing them. The -G flag specifies supplementary groups.

Alternative (older method, not recommended for multiple groups):

# gpasswd -a username groupname

Remove a user from a group

# gpasswd -d username groupname

Or using usermod to set specific groups:

# usermod -G group1,group2 username

This replaces all supplementary groups, so include all desired groups.

Remove all secondary groups from a user

To keep a user only in their primary group:

# usermod -G "" username

List members of a group

# getent group groupname

The output format is groupname:password:gid:user1,user2,user3. Note that members listed here are only users explicitly added to the group; users whose primary group is this group won’t appear.

To see all users with a specific group as primary or secondary:

# grep groupname /etc/group

Switching groups at runtime

A user belonging to multiple groups can switch which group their new processes use.

View current group context

$ id
$ groups

Switch to a different group

$ newgrp groupname

This starts a new shell where your primary group context is groupname. Any files you create will be owned by this group. Exit the subshell with exit or Ctrl+d to return to your original group context.

Note: You can only switch to groups you’re already a member of.

Managing file group ownership

Find files owned by a group

# find /path -group groupname

Check file group ownership

$ stat /path/to/file
$ ls -l /path/to/file
$ stat -c "%U:%G %n" /path/to/file

Change file group ownership

$ chgrp groupname /path/to/file

Recursively change a directory and contents:

$ chgrp -R groupname /path/to/directory

The -R flag applies changes recursively. Use -h to affect symlinks themselves rather than their targets.

Practical use cases

Grant sudo access to a user:

# usermod -aG sudo username  # Debian/Ubuntu
# usermod -aG wheel username # RHEL/Rocky/Fedora

Create a shared project directory:

# groupadd projectteam
# usermod -aG projectteam user1
# usermod -aG projectteam user2
# mkdir /srv/project
# chgrp projectteam /srv/project
# chmod g+rwx /srv/project

Users in projectteam can now create and modify files in /srv/project (assuming the directory has appropriate group permissions).

Maintain group membership after adding a user:

Always use usermod -aG (append) rather than usermod -G alone, which overwrites all supplementary groups:

# Wrong - removes user from other groups
# usermod -G newgroup username

# Correct - adds to newgroup while keeping existing groups
# usermod -aG newgroup username

Changes to group membership take effect the next time a user logs in. For the current session, users can use newgrp to activate a new group context.

Leave a Reply

Your email address will not be published. Required fields are marked *