Local Groups and
Group Memberships

Create, delete, and modify local groups and group memberships

CIS126RH | RHEL System Administration 1
Mesa Community College

Groups are the mechanism by which Linux grants shared access to files and resources. Every file has a group owner, and the group's read, write, or execute bits determine what group members can do with that file. Administrators create groups to organise users — a developers group owns shared project directories; a wheel group grants sudo access. The commands groupadd, groupmod, groupdel, and gpasswd manage groups; usermod -aG manages memberships. All are tested on the RHCSA exam.

Learning Objectives

  1. Explain the Linux group model — Describe primary and supplementary groups, GIDs, the /etc/group and /etc/gshadow files, and how group membership affects file access
  2. Create and delete groups — Use groupadd to create groups with specific GIDs and groupdel to remove groups that are no longer needed
  3. Modify groups and manage memberships — Use groupmod to rename groups or change GIDs, and usermod -aG and gpasswd to add and remove users from groups
  4. Verify group configuration — Use id, groups, getent group, and cat /etc/group to confirm group existence and membership

The Linux Group Model

Every user has exactly one primary group and zero or more supplementary groups. Both types affect file access, but they are managed differently.

  • Primary group — defined in /etc/passwd field 4; new files the user creates are owned by this group; changed with usermod -g
  • Supplementary groups — listed in /etc/group; grant additional access; changed with usermod -aG or gpasswd -a
  • A user gains supplementary group access at login — running newgrp GROUPNAME switches the active group without logging out
  • Groups are identified by a GID (Group IDentifier) — an integer the kernel uses for access control
Primary group vs supplementary group

When alice creates a file, it is owned by her primary group (usually alice). If alice is in the developers supplementary group, she can access files owned by developers — but new files she creates are still owned by alice unless she uses newgrp or the directory has the setgid bit set.

/etc/group: The Group Database

Every local group is defined in /etc/group — one line per group, four colon-separated fields.

# View /etc/group
$ cat /etc/group
root:x:0:
wheel:x:10:alice,bob
developers:x:1600:alice,carol
staff:x:1601:
alice:x:1001:

# Format: groupname:password:GID:member_list
#  1         2        3    4
# Field 1: group name
# Field 2: password placeholder (x = /etc/gshadow)
# Field 3: GID (Group IDentifier)
# Field 4: comma-separated list of supplementary members

# Query a specific group
$ getent group developers
developers:x:1600:alice,carol

# Find which groups a user belongs to (supplementary only)
$ grep alice /etc/group
wheel:x:10:alice,bob
developers:x:1600:alice,carol

Creating Groups: groupadd

# Create a group with the next available GID
$ sudo groupadd developers

# Create a group with a specific GID
$ sudo groupadd -g 1600 developers

# Create a system group (GID < 1000)
$ sudo groupadd -r appgroup

# Create a group and immediately verify
$ sudo groupadd -g 1601 staff
$ getent group staff
staff:x:1601:

# List all groups in the system
$ getent group | sort -t: -k3 -n   # sorted by GID

# Check if a group already exists before creating
$ getent group developers
# No output = group does not exist → safe to create
# Output returned = group exists already
Check before creating — groupadd fails if the name or GID exists

groupadd returns an error if the group name or requested GID is already in use. Run getent group GROUPNAME first to confirm the group does not exist before running groupadd.

Deleting Groups: groupdel

# Delete a group
$ sudo groupdel staff

# Verify the group is removed
$ getent group staff
# No output = group successfully deleted

# groupdel fails if the group is the primary group of any user
$ sudo groupdel alice
groupdel: cannot remove the primary group of user 'alice'

# To delete alice's primary group, first change her primary group
$ sudo usermod -g users alice   # change alice's primary group
$ sudo groupdel alice             # now safe to delete

# Check which users have a group as their primary group before deleting
$ grep -P ":1600:" /etc/passwd   # find users with GID 1600
groupdel does not remove the group from members' supplementary lists

After deleting a group, the GID may still appear in /etc/group member lists for other groups (if users had cross-memberships). More importantly, files previously owned by the deleted group will show an orphaned GID number instead of a group name.

Modifying Groups: groupmod

groupmod changes a group's name or GID. It does not manage membership — use usermod or gpasswd for membership changes.

# Rename a group
$ sudo groupmod -n devteam developers
# Renames 'developers' to 'devteam'

# Verify the rename
$ getent group devteam
devteam:x:1600:alice,carol

# Change a group's GID
$ sudo groupmod -g 1700 devteam

# Rename AND change GID in one command
$ sudo groupmod -n devteam -g 1700 developers

# Verify both changes
$ getent group devteam
devteam:x:1700:alice,carol
Changing a GID orphans existing files

Files owned by the old GID remain with the old GID number after a groupmod -g. Use find / -group OLD_GID -exec chgrp NEW_GID {} \; to update file ownership to the new GID.

Adding Users to Groups: usermod -aG

The usermod -aG command is the standard way to add a user to a supplementary group while preserving all existing memberships.

# Add alice to the developers group (preserves other groups)
$ sudo usermod -aG developers alice

# Add alice to multiple groups at once
$ sudo usermod -aG developers,wheel,staff alice

# Verify the membership was added
$ id alice
uid=1001(alice) gid=1001(alice) groups=1001(alice),10(wheel),1600(developers)

# DANGER: -G without -a REPLACES all supplementary groups
$ sudo usermod -G developers alice
# alice is now ONLY in developers — wheel membership is GONE

# Note: membership changes take effect at next login
# Current sessions still use the old group list
# Force refresh without logout:
$ newgrp developers   # opens a subshell with new group active
Always use -aG — never -G alone

usermod -aG GROUP USER appends — safe. usermod -G GROUP USER without -a replaces all supplementary groups — dangerous. On the exam, forgetting -a will remove the user from sudo/wheel and any other groups.

Managing Memberships: gpasswd

gpasswd provides additional group membership management — adding and removing individual users from a group, and setting group administrators.

# Add a user to a group
$ sudo gpasswd -a alice developers
Adding user alice to group developers

# Remove a user from a group
$ sudo gpasswd -d alice developers
Removing user alice from group developers

# Add multiple members to a group (replaces all members)
$ sudo gpasswd -M alice,bob,carol developers

# Set a group administrator (can add/remove members without sudo)
$ sudo gpasswd -A alice developers

# Set a group password (rarely used)
$ sudo gpasswd developers

# Verify membership
$ getent group developers
developers:x:1600:alice,bob,carol
gpasswd -d is the cleanest way to remove a user from a group

gpasswd -d USERNAME GROUPNAME removes a single user from a group without affecting their other group memberships. It is simpler than editing the group manually or using usermod with a full replacement list.

newgrp: Switching the Active Group

newgrp starts a new shell with a different group as the active primary group — useful when a user needs to create files owned by a specific group without logging out and back in.

# alice's current groups
$ id
uid=1001(alice) gid=1001(alice) groups=1001(alice),1600(developers)

# Switch active group to developers
$ newgrp developers

# Now in a new subshell — active group has changed
$ id
uid=1001(alice) gid=1600(developers) groups=1001(alice),1600(developers)

# Files created now are owned by the developers group
$ touch project.py
$ ls -l project.py
-rw-r--r--. 1 alice developers 0 May 25 10:00 project.py

# Exit the newgrp subshell to return to original group
$ exit

# Also applies new group membership after usermod -aG without logout
$ sudo usermod -aG wheel alice
$ newgrp wheel   # picks up new wheel membership without logout

Verifying Group Configuration

# Show all groups for a user (primary + supplementary)
$ id alice
uid=1001(alice) gid=1001(alice) groups=1001(alice),10(wheel),1600(developers)

# List only group names for a user
$ groups alice
alice : alice wheel developers

# Query a group and see its members
$ getent group developers
developers:x:1600:alice,carol

# Query a group by GID
$ getent group 1600
developers:x:1600:alice,carol

# View the raw /etc/group file
$ grep developers /etc/group
developers:x:1600:alice,carol

# List all groups with their members
$ cat /etc/group

# Find all groups a user is in (including primary)
$ id alice               # most complete view
$ grep alice /etc/group  # supplementary only

The Collaborative Directory Pattern

Groups enable shared directory access — a foundational exam scenario that combines group creation, membership, ownership, and the setgid bit.

# Complete scenario: shared /opt/devproject for the developers group

# Step 1: Create the group
$ sudo groupadd -g 1600 developers

# Step 2: Add members
$ sudo usermod -aG developers alice
$ sudo usermod -aG developers bob

# Step 3: Create the shared directory
$ sudo mkdir -p /opt/devproject

# Step 4: Set group ownership and permissions with setgid
$ sudo chown root:developers /opt/devproject
$ sudo chmod 2775 /opt/devproject
# 2 = setgid: new files inherit developers group
# 7 = rwx for owner, 7 = rwx for group, 5 = r-x for other

# Step 5: Verify
$ ls -ld /opt/devproject
drwxrwsr-x. 2 root developers 6 May 25 10:00 /opt/devproject
#     ^ s = setgid is set

/etc/gshadow: Group Security

/etc/gshadow is the secure counterpart to /etc/group — it stores group passwords and administrator lists, readable only by root.

# View /etc/gshadow (requires root)
$ sudo cat /etc/gshadow
root:::
wheel:::alice,bob
developers:!:alice:alice,carol
# Format: groupname:password:admins:members
# ! = no password (default for most groups)
# third field = group administrators

# grpck — verify consistency of /etc/group and /etc/gshadow
$ sudo grpck
# No output = files are consistent

# pwck — verify consistency of /etc/passwd and /etc/shadow
$ sudo pwck
grpck validates the group database integrity

grpck checks that /etc/group and /etc/gshadow are consistent — no duplicate GIDs, no invalid member references, and matching entries between the two files. Run it after manual file edits to catch mistakes.

Group Management Quick Reference

Task Command
Create a groupsudo groupadd GROUPNAME
Create a group with specific GIDsudo groupadd -g GID GROUPNAME
Create a system groupsudo groupadd -r GROUPNAME
Delete a groupsudo groupdel GROUPNAME
Rename a groupsudo groupmod -n NEWNAME OLDNAME
Change a group's GIDsudo groupmod -g NEWGID GROUPNAME
Add user to group (safe — preserves others)sudo usermod -aG GROUPNAME USERNAME
Add user to group (gpasswd method)sudo gpasswd -a USERNAME GROUPNAME
Remove user from a groupsudo gpasswd -d USERNAME GROUPNAME
Set all group members at oncesudo gpasswd -M USER1,USER2 GROUPNAME
Switch active group in current sessionnewgrp GROUPNAME
Show user's UID, GID, and groupsid USERNAME
Show a group's membersgetent group GROUPNAME
Verify group database consistencysudo grpck

Common Mistakes

Mistake What goes wrong Correct approach
usermod -G without -a All supplementary groups replaced; user loses wheel and other critical memberships Always use usermod -aG GROUPNAME USER — the -a is mandatory
Referencing a non-existent group in useradd/usermod "group does not exist" error — command fails entirely Run groupadd first; verify with getent group GROUPNAME
Deleting a group that is still the primary group of a user groupdel fails: "cannot remove the primary group of user" Change the user's primary group with usermod -g NEWGROUP USER first
Expecting new membership to take effect in current session User runs a command requiring the new group but the shell still has the old group list User must log out and back in, or use newgrp GROUPNAME
Confusing -g (primary group) with -G (supplementary groups) in usermod Changes the wrong group relationship Lowercase -g changes the primary group; uppercase -G sets supplementary groups
Changing a GID with groupmod without updating file ownership Files previously owned by the old GID become orphaned After groupmod -g, run find / -group OLDGID -exec chgrp NEWGID {} \;

Complete Group Configuration Workflow

Exam scenario: create group webteam with GID 2000, add users alice and bob, and verify.

# Step 1: Confirm the group does not already exist
$ getent group webteam
# No output — safe to create

# Step 2: Create the group with the required GID
$ sudo groupadd -g 2000 webteam

# Step 3: Add alice and bob to the group
$ sudo usermod -aG webteam alice
$ sudo usermod -aG webteam bob

# Step 4: Verify group exists with correct GID and members
$ getent group webteam
webteam:x:2000:alice,bob

# Step 5: Verify alice and bob's complete membership
$ id alice
uid=1001(alice) gid=1001(alice) groups=1001(alice),10(wheel),2000(webteam)

$ id bob
uid=1002(bob) gid=1002(bob) groups=1002(bob),2000(webteam)

Knowledge Check

Answer these before moving to the next slide.

  1. Write the commands to create a group called ops with GID 3000 and then add users alice and bob to it. Write the command to verify both are members.
  2. What is the difference between usermod -aG ops alice and usermod -G ops alice?
  3. Write the command to remove user alice from the ops group without affecting her other group memberships.
  4. You try sudo groupdel ops and get the error "cannot remove the primary group of user 'ops'". What caused this, and what must you do first?
  5. Write the command to rename the group ops to operations. After the rename, do existing files owned by the ops group need to be updated? Why or why not?
  6. What does the field 4 (member list) in /etc/group show, and what does it NOT show? Why might grep alice /etc/group miss a group that alice is in?

Knowledge Check — Answers

  1. sudo groupadd -g 3000 ops
    sudo usermod -aG ops alice
    sudo usermod -aG ops bob
    Verify: getent group ops → should show ops:x:3000:alice,bob
  2. usermod -aG ops alice appends ops to alice's existing supplementary groups — all other memberships (wheel, developers, etc.) are preserved. usermod -G ops alice (without -a) replaces alice's entire supplementary group list with just ops, removing her from every other supplementary group.
  3. sudo gpasswd -d alice ops — this removes alice from the ops member list in /etc/group without affecting any of her other group memberships.
  4. A user named ops exists and has ops as their primary group (the GID in /etc/passwd matches the GID of the ops group). groupdel refuses to remove a group that is anyone's primary group. Fix: sudo usermod -g NEWPRIMARYGROUP ops to change the user's primary group, then retry groupdel ops.
  5. sudo groupmod -n operations ops. No — existing files do not need to be updated. groupmod -n only changes the group name in /etc/group; the GID remains the same. Files store the GID number, not the name — so they automatically resolve to "operations" without any file changes.
  6. Field 4 shows only supplementary members — users for whom this group is not their primary group. It does NOT show the user whose primary group this is (that relationship is stored in /etc/passwd field 4). grep alice /etc/group misses the alice group because alice is the owner of that group (it is her primary group) and the member field for a private primary group is typically empty.

Key Takeaways

  1. Create groups with groupadd before referencing them in useradd/usermod. Use -g GID for a specific GID. Verify with getent group GROUPNAME. groupdel cannot remove a group that is anyone's primary group — change the primary group first with usermod -g.
  2. Add to groups with usermod -aG GROUP USER — always with -a. Without -a, -G replaces all supplementary groups. Remove from a group with gpasswd -d USER GROUP. New memberships take effect at next login — use newgrp GROUP for immediate effect.
  3. Rename groups with groupmod -n NEWNAME OLDNAME — files are unaffected. The GID stays the same; files resolve to the new name automatically. Changing GIDs with groupmod -g orphans existing files — update with find / -group OLDGID -exec chgrp NEWGID {} \;.
  4. Verify with id USER and getent group GROUPNAME. id shows all group memberships including primary. /etc/group field 4 shows only supplementary members — not the user whose primary group it is. Use both for complete confirmation.

Graded Lab

  • Create groups labgroup (GID 3001) and labteam (GID 3002). Verify both with getent group. View the new entries in /etc/group.
  • Add two lab users to labgroup using usermod -aG. Verify with getent group labgroup (shows members) and id USER (shows complete membership). Confirm the -a flag preserved existing groups.
  • Add one user to labgroup using gpasswd -a, and then remove them with gpasswd -d. Verify the removal with getent group labgroup.
  • Rename labgroup to labcrew using groupmod -n. Create a test file owned by the old group name before renaming. After renaming, confirm the file now shows the new group name — demonstrating that GID-based storage makes the rename transparent.
  • Set up a shared directory /opt/labshare owned by labteam with permissions 2775. Add two users to labteam. As each user, create a file in /opt/labshare and confirm it is owned by labteam (setgid inheritance).
  • Delete labteam using groupdel. If it fails because it is a primary group, resolve it and retry. Use find /opt -nogroup to identify any orphaned files left behind by the deletion. Clean them up.
RHCSA Objective

"Create, delete, and modify local groups and group memberships." Know groupadd -g, usermod -aG (never without -a), gpasswd -d, groupmod -n, and verify with id and getent group.

Next: Getting Help from Local Documentation