- How to list all groups a user is a member of
- What is primary group?
- What is secondary group?
- What is /etc/passwd file
- What is /etc/group file
- Method-1: Using groups command
- Method-2: Using id command
- Method-3: Using lid command
- Method-4: Using the getent command
- Method-5: Using the ‘/etc/group’ file
- Bonus Tip-1: Find out all groups using compgen command
- Bonus Tip-2: Listing members of a group using member command
- Closing Notes
- How To List All Users and Groups in Linux
- Print User File Named passwd
- Print Only Usernames
- Print Users Who Have Login
- Print Users Who Have Home Directories
- Print Group File
- Print Only Group Names
- How to List All User Groups on Ubuntu 18.04 | 16.04 with Examples
- Users and groups
- Contents
- Overview
- Permissions and ownership
- Shadow
- File list
- User management
- Example adding a user
- Example adding a system user
- Change a user’s login name or home directory
- Other examples of user management
- User database
- Automatic integrity checks
- Group management
- Group list
- User groups
- System groups
- Pre-systemd groups
- Unused groups
- Other tools related to these databases
How to list all groups a user is a member of
Before delving into the 5 ways, let’s first understand some basics:
Adding a user to an existing group is one of the typical tasks of a Linux administrator.
A group is a collection of users. The main purpose of the group is to define a set of privileges to their members within the group.
It can be a difficult task if you want to assign a set of privileges to multiple users without a group. This is where the group comes in handy.
All system users are listed in the /etc/passwd file, the groups are listed in the /etc/group file, and the actual password is stored in the /etc/shadow file.
No matter what command we use, it will fetch information from these files.
There are two types of groups in Linux:
- Primary Group
- Secondary Group
What is primary group?
The primary group is the main group associated with the user account. Each user must be a member of a single primary group.
What is secondary group?
The secondary or supplementary group is used to grant additional rights to the user. Each user can become a member of multiple secondary groups.
What is /etc/passwd file
“/etc/passwd” is a text file containing every user information that is required to login to the Linux system. It maintains useful information about users such as username, password, user ID, group ID, user information, home directory and shell.
Each user profile in the password file is a single line with seven fields as shown below:
What is /etc/group file
“/etc/group” is a text file that defines which groups a user belongs to. We can add multiple users in the same group.
Linux has three permission levels which define how users can access it. These levels are user, group and others, which controls a users access to other users’ files and folders.
/etc/group file maintains useful information about the group such as group name, group password, group ID (GIT) and membership list. Each group details is shown in a single line with four fields as shown in the ‘method #5’ listed below.
The following seven commands will help you find out which groups a user belongs to in Linux.
- groups: Show All Members of a Group.
- id: Print user and group information for the specified username.
- lid or libuser-lid: It display user’s groups or group’s users.
- getent: Get entries from Name Service Switch libraries.
- compgen: compgen is bash built-in command and it will show all available commands for the user.
- members: List members of a group.
- /etc/group file: Also, we can grep the corresponding user’s groups from the /etc/group file.
Now let’s delve into the 5 methods which can be used to find the list of groups a user is part of in Linux:
Method-1: Using groups command
The ‘groups’ command is widely used by Linux admin to list all groups a user is a member of. It prints the information of the given user’s primary and supplementary groups as shown below:
Run ‘groups’ command without any arguments to display the list of groups associated with the current user as shown below:
Method-2: Using id command
The id command stands for identity. It prints real and effective user, group, and supplementary group information such as username, UID, group names and GUID as shown below:
Just run the ‘id’ command to view group information about the current user as shown below:
Method-3: Using lid command
The lid or libuser-lid command displays information about groups containing user name, which requires sudo privileges.
You should run the libuser-lid command instead of the lid on newer systems.
Method-4: Using the getent command
The getent command displays entries from databases supported by the Name Service Switch libraries, which are configured in ‘/etc/nsswitch.conf’:
The above command shows the group name and all other members associated with that group. Use the below customized command format to print only groups for a given user:
Run the below command to print only the primary group information of the user:
Method-5: Using the ‘/etc/group’ file
User groups information can be filtered from the ‘/etc/group’ file using grep command as shown below:
Use the below customized command format to print only groups for a given user:
Bonus Tip-1: Find out all groups using compgen command
Compgen is a bash built-in command that displays all groups in the Linux system:
Bonus Tip-2: Listing members of a group using member command
The member command allows you to list members of a group in Linux:
Closing Notes
In this guide, we have shown you several commands to list all groups a user is a member of in Linux.
If you have any questions or feedback, feel free to comment below.
Источник
How To List All Users and Groups in Linux
Users and group files are important for Linux. Normal users will interact with Linux systems by using credentials provided in the user ad group file.
Print User File Named passwd
We can get content of the user file like below. This file provides usernames home directories and shell information.
Print User File Named passwd
As we can see each line of the output provides the user name, user id, user group, user shell, user home path etc.
Print Only Usernames
We can print only usernames by filtering other columns like below.
Print Only Usernames
Print Users Who Have Login
By default normal users will login to the Linux box. But in some cases service users do not need to login Linux system. This is also a security measure. We can list users who do not have login right with the following command. This login information is stored in the /etc/passwd file.
Print Users Who Have Login
Print Users Who Have Home Directories
We can print only users who have home directories in /home. This command will first look in to the passwd to list users how have /home and then print only user names from result.
Print Users Who Have Home Directories
Print Group File
Linux users have primary and secondary groups. These group names are stored in the /etc/group file. We can print this group information and assigned user with cat command. For more details read following tutorial.
Print Only Group Names
We can print only group names by cutting other column like below.
Print Only Group Names
Источник
How to List All User Groups on Ubuntu 18.04 | 16.04 with Examples
This brief tutorial shows students and new users how to list groups on Ubuntu 18.04 | 16.04 Linux systems.
If you’re a student or new user looking for a Linux system to start learning on, the easiest place to start is on Ubuntu Linux OS. It’s a great Linux operating system for beginners.
Ubuntu is an open source Linux operating systems that runs on desktops, laptops, server and other devices.
Students and new users will find that Linux isn’t so different than Windows and other operating systems in so many ways, especially when it comes to use the system to get work done.…
Both Ubuntu and Windows systems allow you to be productive, easy to use, reliable and enable you to install and run thousands of programs from gaming to productivity suite software for individuals and businesses.
However, when you’re learning to use and understand Ubuntu Linux, you should also learn how to use the command line to terminal. Most Linux users can do some basic command line tasks. This tutorial is going to show you how..
This post shows you how to perform a basic task of listing groups on Ubuntu Linux.
When you’re ready to learn how to list groups on Ubuntu, follow the steps below:
Linux Groups:
There are two types of groups users can be assigned to: One is a primary and the other a secondary group which grants privileges to user to access certain resources.
Below is how a typical Linux user account is added and assigned group memberships:
User — A user has an account must belong to one primary group. Typically the the user’s primary group is also named after the user account name.
Primary Group — The primary group is created at the same time the user account is created and the user is automatically added to it. File created by the user automatically belongs to the user group.
Secondary Group — This group is not required and only there to give users access to other resources they’re don’t already have access to. Users can belong to none or as many secondary groups are possible.
The primary user’s group is stored in the /etc/passwd file and the supplementary groups, if any, are listed in the /etc/group file.
List User Groups using groups command
Now that you know the types of groups for users, you can use the groups command to find the groups a user belongs to. Running the groups command without any arguments, will list all the groups the user belongs to.
Should output all the group the account richard belongs to. The first group with same name as the user account name is the primary group.
To list all the groups a user belongs, add the username to the groups command
This should output same as above
List User Groups using the id command
One can also use the id command to list groups information about specified user. It prints user and group information for the specified USER,
The command will show the username (uid), the user’s primary group (gid), and the user’s secondary groups (groups)
Should output the line below:
List Group Membership using the getent command
If you want to know who are members of a particular group, use the getent command. This command gets entries from administrative database.
To get a membership of the cdrom group, run the command below
getent group cdrom
This should output all the users who have access to the cdrom group.
Listing All Groups
To list the entire groups on Ubuntu, run the command below
That should output all the groups on each line
Congratulations! You have learned how to list groups on Ubuntu Linux.
Источник
Users and groups
Users and groups are used on GNU/Linux for access control—that is, to control access to the system’s files, directories, and peripherals. Linux offers relatively simple/coarse access control mechanisms by default. For more advanced options, see ACL, Capabilities and PAM#Configuration How-Tos.
Contents
Overview
A user is anyone who uses a computer. In this case, we are describing the names which represent those users. It may be Mary or Bill, and they may use the names Dragonlady or Pirate in place of their real name. All that matters is that the computer has a name for each account it creates, and it is this name by which a person gains access to use the computer. Some system services also run using restricted or privileged user accounts.
Managing users is done for the purpose of security by limiting access in certain specific ways. The superuser (root) has complete access to the operating system and its configuration; it is intended for administrative use only. Unprivileged users can use the su and sudo programs for controlled privilege elevation.
Any individual may have more than one account as long as they use a different name for each account they create. Further, there are some reserved names which may not be used such as «root».
Users may be grouped together into a «group», and users may be added to an existing group to utilize the privileged access it grants.
Permissions and ownership
The UNIX operating system crystallizes a couple of unifying ideas and concepts that shaped its design, user interface, culture and evolution. One of the most important of these is probably the mantra: «everything is a file,» widely regarded as one of the defining points of UNIX. This key design principle consists of providing a unified paradigm for accessing a wide range of input/output resources: documents, directories, hard-drives, CD-ROMs, modems, keyboards, printers, monitors, terminals and even some inter-process and network communications. The trick is to provide a common abstraction for all of these resources, each of which the UNIX fathers called a «file.» Since every «file» is exposed through the same API, you can use the same set of basic commands to read/write to a disk, keyboard, document or network device.
A fundamental and very powerful, consistent abstraction provided in UNIX and compatible operating systems is the file abstraction. Many OS services and device interfaces are implemented to provide a file or file system metaphor to applications. This enables new uses for, and greatly increases the power of, existing applications — simple tools designed with specific uses in mind can, with UNIX file abstractions, be used in novel ways. A simple tool, such as cat, designed to read one or more files and output the contents to standard output, can be used to read from I/O devices through special device files, typically found under the /dev directory. On many systems, audio recording and playback can be done simply with the commands, » cat /dev/audio > myfile » and » cat myfile > /dev/audio ,» respectively.
Every file on a GNU/Linux system is owned by a user and a group. In addition, there are three types of access permissions: read, write, and execute. Different access permissions can be applied to a file’s owning user, owning group, and others (those without ownership). One can determine a file’s owners and permissions by viewing the long listing format of the ls command:
The first column displays the file’s permissions (for example, the file initramfs-linux.img has permissions -rw-r—r— ). The third and fourth columns display the file’s owning user and group, respectively. In this example, all files are owned by the root user and the root group.
In this example, the sf_Shared directory is owned by the root user and the vboxsf group. It is also possible to determine a file’s owners and permissions using the stat command:
Access permissions are displayed in three groups of characters, representing the permissions of the owning user, owning group, and others, respectively. For example, the characters -rw-r—r— indicate that the file’s owner has read and write permission, but not execute ( rw- ), whilst users belonging to the owning group and other users have only read permission ( r— and r— ). Meanwhile, the characters drwxrwx— indicate that the file’s owner and users belonging to the owning group all have read, write, and execute permissions ( rwx and rwx ), whilst other users are denied access ( — ). The first character represents the file’s type.
List files owned by a user or group with the find utility:
A file’s owning user and group can be changed with the chown (change owner) command. A file’s access permissions can be changed with the chmod (change mode) command.
Shadow
The user, group and password management tools on Arch Linux come from the shadow package, which is a dependency of the base meta package.
File list
| File | Purpose |
|---|---|
| /etc/shadow | Secure user account information |
| /etc/passwd | User account information |
| /etc/gshadow | Contains the shadowed information for group accounts |
| /etc/group | Defines the groups to which users belong |
User management
To list users currently logged on the system, the who command can be used. To list all existing user accounts including their properties stored in the user database, run passwd -Sa as root. See passwd(1) for the description of the output format.
To add a new user, use the useradd command:
-m / —create-home the user’s home directory is created as /home/username . The directory is populated by the files in the skeleton directory. The created files are owned by the new user. -G / —groups a comma separated list of supplementary groups which the user is also a member of. The default is for the user to belong only to the initial group. -s / —shell a path to the user’s login shell. Ensure the chosen shell is installed if choosing something other than Bash.
If an initial login group is specified by name or number, it must refer to an already existing group. If not specified, the behaviour of useradd will depend on the USERGROUPS_ENAB variable contained in /etc/login.defs . The default behaviour ( USERGROUPS_ENAB yes ) is to create a group with the same name as the username.
When the login shell is intended to be non-functional, for example when the user account is created for a specific service, /usr/bin/nologin may be specified in place of a regular shell to politely refuse a login (see nologin(8) ).
See useradd(8) for other supported options.
Example adding a user
To add a new user named archie , creating its home directory and otherwise using all the defaults in terms of groups, folder names, shell used and various other parameters:
Although it is not required to protect the newly created user archie with a password, it is highly recommended to do so:
The above useradd command will also automatically create a group called archie and makes this the default group for the user archie . Making each user have their own group (with the group name same as the user name) is the preferred way to add users.
You could also make the default group something else using the -g option, but note that, in multi-user systems, using a single default group (e.g. users ) for every user is not recommended. The reason is that typically, the method for facilitating shared write access for specific groups of users is setting user umask value to 002 , which means that the default group will by default always have write access to any file you create. See also User Private Groups. If a user must be a member of a specific group specify that group as a supplementary group when creating the user.
In the recommended scenario, where the default group has the same name as the user name, all files are by default writeable only for the user who created them. To allow write access to a specific group, shared files/folders can be made writeable by default for everyone in this group and the owning group can be automatically fixed to the group which owns the parent directory by setting the setgid bit on this directory:
Otherwise the file creator’s default group (usually the same as the user name) is used.
If a GID change is required temporarily you can also use the newgrp command to change the user’s default GID to another GID at runtime. For example, after executing newgrp groupname files created by the user will be associated with the groupname GID, without requiring a re-login. To change back to the default GID, execute newgrp without a groupname.
Example adding a system user
System users can be used to run processes/daemons under a different user, protecting (e.g. with chown) files and/or directories and more examples of computer hardening.
With the following command a system user without shell access and without a home directory is created (optionally append the -U parameter to create a group with the same name as the user, and add the user to this group):
If the system user requires a specific user and group ID, specify them with the -u / —uid and -g / —gid options when creating the user:
Change a user’s login name or home directory
To change a user’s home directory:
The -m option also automatically creates the new directory and moves the content there.
Make sure there is no trailing / on /my/old/home .
To change a user’s login name:
Changing a username is safe and easy when done properly, just use the usermod command. If the user is associated to a group with the same name, you can rename this with the groupmod command.
Alternatively, the /etc/passwd file can be edited directly, see #User database for an introduction to its format.
Also keep in mind the following notes:
- If you are using sudo make sure you update your /etc/sudoers to reflect the new username(s) (via the visudo command as root).
- Personal crontabs need to be adjusted by renaming the user’s file in /var/spool/cron from the old to the new name, and then opening crontab -e to change any relevant paths and have it adjust the file permissions accordingly.
- Wine’s personal folders/files’ contents in
/.local/share/applications/wine/Programs and possibly more need to be manually renamed/edited.
or $HOME variables for home directories.
Other examples of user management
To enter user information for the GECOS comment (e.g. the full user name), type:
(this way chfn runs in interactive mode).
Alternatively the GECOS comment can be set more liberally with:
To mark a user’s password as expired, requiring them to create a new password the first time they log in, type:
User accounts may be deleted with the userdel command:
The -r option specifies that the user’s home directory and mail spool should also be deleted.
To change the user’s login shell:
User database
Local user information is stored in the plain-text /etc/passwd file: each of its lines represents a user account, and has seven fields delimited by colons.
- account is the user name. This field can not be blank. Standard *NIX naming rules apply.
- password is the user password.
Broken down, this means: user jack , whose password is in /etc/shadow , whose UID is 1001 and whose primary group is 1003. Jack Smith is his full name and there is a comment associated to his account; his home directory is /home/jack and he is using Bash.
The pwck command can be used to verify the integrity of the user database. It can sort the user list by GID at the same time, which can be helpful for comparison:
Automatic integrity checks
Instead of running pwck / grpck manually, the systemd timer shadow.timer , which is part of, and is enabled by, installation of the shadow package, will start shadow.service daily. shadow.service will run pwck(8) and grpck(8) to verify the integrity of both password and group files.
If discrepancies are reported, group can be edited with the vigr(8) command and users with vipw(8) . This provides an extra margin of protection in that these commands lock the databases for editing. Note that the default text editor is vi, but an alternative editor will be used if the EDITOR environment variable is set, then that editor will be used instead.
Group management
/etc/group is the file that defines the groups on the system (see group(5) for details). There is also its companion gshadow which is rarely used. Its details are at gshadow(5) .
Display group membership with the groups command:
If user is omitted, the current user’s group names are displayed.
The id command provides additional detail, such as the user’s UID and associated GIDs:
To list all groups on the system:
Create new groups with the groupadd command:
Add users to a group with the gpasswd command (see FS#58262 regarding errors):
Alternatively, add a user to additional groups with usermod (replace additional_groups with a comma-separated list):
Modify an existing group with the groupmod command, e.g. to rename the old_group group to new_group :
To delete existing groups:
To remove users from a group:
The grpck command can be used to verify the integrity of the system’s group files.
Group list
This section explains the purpose of the essential groups from the filesystem package. There are many other groups, which will be created with correct GID when the relevant package is installed. See the main page for the software for details.
User groups
Non-root workstation/desktop users often need to be added to some of following groups to allow access to hardware peripherals and facilitate system administration:
| Group | Affected files | Purpose |
|---|---|---|
| adm | Administration group, commonly used to give read access to protected logs. It has full read access to journal files. | |
| ftp | /srv/ftp/ | Access to files served by FTP servers. |
| games | /var/games | Access to some game software. |
| http | /srv/http/ | Access to files served by HTTP servers. |
| log | Access to log files in /var/log/ created by syslog-ng. | |
| rfkill | /dev/rfkill | Right to control wireless devices power state (used by rfkill). |
| sys | Right to administer printers in CUPS. | |
| systemd-journal | /var/log/journal/* | Can be used to provide read-only access to the systemd logs, as an alternative to adm and wheel [1]. Otherwise, only user generated messages are displayed. |
| uucp | /dev/ttyS9+ , /dev/tts/9+ , /dev/ttyUSB2+ , /dev/ttyACM9+ , /dev/rfcomm6+ | RS-232 serial ports and devices connected to them. |
| wheel | Administration group, commonly used to give privileges to perform administrative actions. It has full read access to journal files and the right to administer printers in CUPS. Can also be used to give access to the sudo and su utilities (neither uses it by default). |
System groups
The following groups are used for system purposes, an assignment to users is only required for dedicated purposes:
| Group | Affected files | Purpose |
|---|---|---|
| dbus | used internally by dbus | |
| kmem | /dev/port , /dev/mem , /dev/kmem | |
| locate | /usr/bin/locate , /var/lib/locate , /var/lib/mlocate , /var/lib/slocate | See Locate. |
| lp | /dev/lp8* , /dev/parport5* | Access to parallel port devices (printers and others). |
| /usr/bin/mail | ||
| nobody | Unprivileged group. | |
| proc | /proc/pid/ | A group authorized to learn processes information otherwise prohibited by hidepid= mount option of the proc file system. The group must be explicitly set with the gid= mount option. |
| root | /* | Complete system administration and control (root, admin). |
| smmsp | sendmail group. | |
| tty | /dev/tty , /dev/vcc , /dev/vc , /dev/ptmx | |
| utmp | /run/utmp , /var/log/btmp , /var/log/wtmp |
Pre-systemd groups
Before arch migrated to systemd, users had to be manually added to these groups in order to be able to access the corresponding devices. This way has been deprecated in favour of udev marking the devices with a uaccess tag and logind assigning the permissions to users dynamically via ACLs according to which session is currently active. Note that the session must not be broken for this to work (see General troubleshooting#Session permissions to check it).
There are some notable exceptions which require adding a user to some of these groups: for example if you want to allow users to access the device even when they are not logged in. However, note that adding users to the groups can even cause some functionality to break (for example, the audio group will break fast user switching and allows applications to block software mixing).
| Group | Affected files | Purpose |
|---|---|---|
| audio | /dev/audio , /dev/snd/* , /dev/rtc0 | Direct access to sound hardware, for all sessions. It is still required to make ALSA and OSS work in remote sessions, see ALSA#User privileges. Also used in JACK to give users realtime processing permissions. |
| disk | /dev/sd[a-zA-Z]*3* | Access to block devices not affected by other groups such as optical , floppy , and storage . |
| floppy | /dev/fd5* | Access to floppy drives. |
| input | /dev/input/event7* , /dev/input/mouse1* | Access to input devices. Introduced in systemd 215 [2]. |
| kvm | /dev/kvm | Access to virtual machines using KVM. |
| optical | /dev/sr4 , /dev/sg9 | Access to optical devices such as CD and DVD drives. |
| scanner | /var/lock/sane | Access to scanner hardware. |
| storage | /dev/st7*[lma]* , /dev/nst5*[lma]* | Used to gain access to removable drives such as USB hard drives, flash/jump drives, MP3 players; enables the user to mount storage devices.[3] Now solely for direct access to tapes if no custom udev rules is involved.[4][5][6][7] |
| video | /dev/fb/0 , /dev/misc/agpgart | Access to video capture devices, 2D/3D hardware acceleration, framebuffer (X can be used without belonging to this group). |
Unused groups
The following groups are currently not used for any purpose:
| Group | Affected files | Purpose |
|---|---|---|
| bin | none | Historical |
| daemon | ||
| lock | Used for lockfile access. Required by e.g. gnokii AUR . | |
| mem | ||
| network | Unused by default. Can be used e.g. for granting access to NetworkManager (see NetworkManager#Set up PolicyKit permissions). | |
| power | ||
| uuidd | ||
| users | The primary group for users when user private groups are not used (generally not recommended), e.g. when creating users with USERGROUPS_ENAB no in /etc/login.defs or the -N / —no-user-group option of useradd. |
Other tools related to these databases
This article or section is a candidate for merging with #Shadow.
The factual accuracy of this article or section is disputed.
getent(1) can be used to read a particular record.
As warned in #User database, using specific utilities such as passwd and chfn , is a better way to change the databases. Nevertheless, there are times when editing them directly is looked after. For those times, vipw , vigr are provided. It is strongly recommended to use these tailored editors over using a general text editor as they lock the databases against concurrent editing. They also help prevent invalid entries and/or syntax errors. Note that Arch Linux prefers usage of specific tools, such as chage, for modifying the shadow database over using vipw -s and vigr -s from util-linux . See also FS#31414.
Источник
