Group Management
Groups let you assign permissions to multiple users at once. Instead of giving each developer access individually, add them to a developers group.
Understanding Groups
Every user has:
- Primary group - Created with the user (usually same name)
- Supplementary groups - Additional groups for access
Terminal
$groups
john sudo docker www-data
$groups alice
alice : alice developers
$id john
uid=1000(john) gid=1000(john) groups=1000(john),27(sudo),998(docker)
View All Groups
Terminal
$cat /etc/group | head -5
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog,john
Format: groupname:password:GID:members
Create a Group
Terminal
$sudo groupadd developers
$getent group developers
developers:x:1002:
Add Users to Group
Terminal
$sudo usermod -aG developers alice
$sudo usermod -aG developers bob
$getent group developers
developers:x:1002:alice,bob
Log Out Required
Group changes don't take effect until the user logs out and back in. Or use newgrp groupname to activate immediately.
Remove User from Group
Terminal
$sudo gpasswd -d alice developers
Removing user alice from group developers
Or use deluser:
Terminal
$sudo deluser alice developers
Delete a Group
Terminal
$sudo groupdel oldgroup
You can't delete a group that's someone's primary group.
Change Primary Group
Terminal
$sudo usermod -g developers alice
$# alice's primary group is now developers
Common System Groups
| Group | Purpose |
|---|---|
sudo | Can use sudo |
docker | Can use Docker |
www-data | Web server access |
adm | Can read log files |
plugdev | Access to removable devices |
Practical: Project Team Setup
hljs bash
#!/bin/bash
# Set up a project with group-based permissions
PROJECT="webapp"
PROJECT_DIR="/var/www/$PROJECT"
# Create group
sudo groupadd "$PROJECT"
# Create project directory
sudo mkdir -p "$PROJECT_DIR"
sudo chown root:"$PROJECT" "$PROJECT_DIR"
sudo chmod 2775 "$PROJECT_DIR" # setgid bit
# Add developers
for user in alice bob charlie; do
sudo usermod -aG "$PROJECT" "$user"
done
echo "Project $PROJECT created at $PROJECT_DIR"
echo "Members can now create/edit files in the directory"
The 2775 permission:
2- setgid: new files inherit the group7- owner: full access7- group: full access5- others: read and execute
Terminal
$ls -la /var/www/webapp
drwxrwsr-x 2 root webapp 4096 Jan 14 10:30 .
$# The 's' means setgid is set
Checking Group Membership
Terminal
$# What groups am I in?
$groups
john sudo docker developers
$
$# Who's in a specific group?
$getent group docker
docker:x:998:john,alice
Knowledge Check
How do you safely add a user to a new group without removing existing groups?
Quick Reference
| Command | Purpose |
|---|---|
groupadd name | Create group |
groupdel name | Delete group |
usermod -aG group user | Add user to group |
gpasswd -d user group | Remove from group |
groups user | Show user's groups |
getent group name | Show group members |
Key Takeaways
- Groups organize permissions for multiple users
- Every user has one primary group, multiple supplementary
- Always use
-aGwhen adding to groups - Group changes require re-login to take effect
- Use setgid (2xxx) for shared directories
- Common groups: sudo, docker, www-data
Next: understanding sudo and privilege escalation.