User management in Linux and Unix systems among many other things often involve adding and removing the users to and from pre-defined or custom usergroups. User groups in unix systems usually provide a smart and easy way to control permissioning in Linux systems. Several functions and actions in the system is only accessible to users in a particular user group.
For example, users need to be members of the audio group to be able to access and play audio using the sound card, also cdrom group controls access to the CD Rom drive. Super users or administrators need to be in the root group. There are several other groups which are customizable to fine tune the security and user access to your systems.
In order to add, remove or modify the group access to a user, you need to be a super user or root. There are primarily two commands which can be used to manage user groups, useradd and usermod.
useradd is used to create a new user and assign him groups while usermod is used to change the groups of an existing user.
Creating a new user and assigning groups
To create a new user named bar and assign it to a set of groups named users, audio and cdrom, use the useradd command
bash$ useradd -g users -G audio,cdrom bar
This will create a user named bar and assign it to the primary group users and to supplemental or secondary groups audio and cdrom. To furthur explain the options,
-g (or –gid) : this is the primary usergroup of the user. A user can have only one primary group
-G (or –groups): this is a comma seperated list of secondary or supplementary groups that the user is a member of.
There are several other options for the useradd command which allows you to create a user home directory, specify path to the user home, generate password etc etc. When the options are not specified it creates the user using the default values set in the system configuration. The generic syntax of the command is
bash$ useradd -g <primary group> -G <list of secondary groups> <username>
Add an existing user to a group
If you already have the user created in your system and you just want to modify the group assignment of the user, then you would use the usermod command. This command allows you to change the primary group of the user as well as add or remove the supplementary groups of the user.
To modify the primary group of a user named bar to a group named users
bash$ usermod -g users bar
To modify the secondary user group, you will use the usermod command with the -G option along with the -a option. The -a or –append options allows a new secondary user group to appended to the list of the current list of secondary groups already assigned. There are couple of different scenarios in this case.
Adding a new group to the existing list of the user groups
To add the groups audio and cdrom to the list of pre-existing usergroups for the user bar
bash$ usermod -a -G audio,cdrom bar
Assign a set of new usergroups
bash$ usermod -G audio,cdrom bar
Executing this command without the -a option, will remove the user from all the user groups (except the primary one) and then re-assign to just the current specified list. This acts as a user group removal command for the user. There is no easy way to just remove a group from the user using the usermod command without specifying the entire secondary list of groups.
Delete a group assignment of the user
You can do this more efficiently with the gpasswd command (compared to the usermod), which allows you to remove a single group from the list of assigned secondary groups of the user.
bash$ gpasswd -d bar audio
This will remove the user bar from the group audio.
List assigned groups
While assigning new groups or removing group assignments of the user, you should verify before and after the command that the usergroups have been assigned correctly. In order to view the current groups that a user is assigned to, you can use either the id or the groups command.
bash$ id bar
This will list all the groups that the user is a member of along with the group id. It will also show you the primary group (as gid) of the user. A sample output is
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),19(cdrom),27(video),80(cdrw)
You can use the groups command if you prefer a much more concise output.
bash$ groups bar
This will list the same group list but without the extra information that the previous id command provides. This will be some thing like
root bin daemon sys adm disk wheel floppy cdrom dialout tape video cdrw