How To Administer Groups With gpasswd

Change Linux Group Permissions
Change Linux Group Permissions. Getty Images

This guide shows you how to administer groups using the gpasswd command. Each file and folder within Linux have user, group and owner permissions. By controlling who has access to a group you can control what happens to files and folders on your system without having to set permissions for each user.

A Little Bit About Permissions

Open a terminal and within your home folder create a folder called accounts using the mkdir command as follows:

mkdir accounts

Now run the following ls command which will show you the permissions for the folder you have just created.

ls -lt

You will see something like this:

drwxr-xr-x 2 yourname yourname 4096 date accounts

The bits we are interested in are the permissions which in the above example are "drwxr-xr-x". We are also interested in the 2 "yourname" values.

Let's talk about the permissions first. The "d" stands for directory and lets us know that accounts is a directory.

The rest of the permissions is split into 3 sections: "rwx", "r-x", "r-x". The first section of 3 characters are the permissions that the owner of an object has. The second section of 3 characters are the permissions that anybody who belongs to the group has and finally, the last section is the permissions that everybody else has.

The "r" stands for "read", the "w" stands for "write" and the "x" stands for "execute".

Therefore in the example above the owner has read, write and execute permissions for the accounts folder whereas the group and everybody else only has read and execute permissions.

In the example, the first "yourname" is the owner of the item and the second "yourname" is the primary group for the accounts folder.

To make this guide more useful add a couple more accounts to your system using the following adduser commands:

sudo adduser tim

sudo adduser tom

You will be asked to set a password for each of them and enter other information.

You can get away with just the password and return through the rest of the fields.

Now that you have 3 accounts run the following command to change the owner of your account's folder.

sudo chown tom accounts

Now run the ls command again.

ls -lt


The permissions will now be as follows:

drwxr-xr-x tom yourname

You will be able to navigate into the accounts folder using the cd command as follows:

cd accounts

Now try creating a file using the following command:

touch test

You will receive the following error:

touch: cannot touch 'test': Permission denied

The reason for this is that Tom is the owner and has read, write and execute permissions but you are just part of the group and you only have group permissions.

Navigate back to the home folder and change the permissions for accounts by typing the following commands:

cd ..

sudo chmod 750 accounts

Now run the ls command again:

ls -lt

The permissions for the accounts folder will now be as follows:

drwxr-x---

This means that the owner has full, permissions, users with the group "yourname" will have read and execute permissions and everyone else will have no permissions.

Try it out. Navigate to the accounts folder and run the touch command again:

cd accounts

touch test

You still have the permissions to navigate to the folder but don't have the permissions to create files. If you were just a normal user you can't even get into the accounts folder.

To try this out switch to the user Tim and navigate to the accounts folder as follows:

su - tim

cd /home/yourname/accounts

You will get a permission denied error.

So why use group permissions and not set individual permissions for all users? If you have an accounts department who should all have access to certain spreadsheets and documents but nobody else in the company should then rather than set the permissions to all the people in accounts you can set the permissions for the folder to a group called accounts and then add the users to the group.

Why is this better than setting individual user permissions? If a user leaves the department you can just remove them from the group as opposed to working out their permissions on a series of folders.

How To Create A Group

You can use the following command to create a group:

sudo addgroup accounts

 

How To Add A User To A Group

sudo gpasswd -a username accounts

The above command can be used to add a single user to the accounts group.

To add a list of users as members of the group run the following command:

sudo gpassword -M yourname,tom,tim accounts

When a user has been added to an account the user can add the group to their list of secondary groups by running the following command:

newgrp accounts

Any user that doesn't belong to the group will be asked to enter the group password.

How To Change The Primary Group For A Folder

Now that we have a group with a user you can assign that group to the accounts folder using the following chgrp command:

sudo chgrp accounts accounts

The first accounts is the name of the group and the second accounts is the name of the folder.

How To Check If A User Belongs To A Group

You can check whether a user belongs to a group by running the following command:

groups

This will return the list of groups that a user belongs to.

How To Change The Group Password

To change the group password you can run the following command:

sudo gpasswd

You will be asked to enter a password for the group and repeat it.

Now you can add users to a group in the manner specified above or a new user can join the group simply by running the following command and supplying the correct password:

newgrp

Obviously, you don't want to give the group password out to anyone so it is better to add the user to the group yourself.

How To Restrict Groups To Just The Specified Members

If you don't want anybody who justs knows the password to join a group you can run the following command:

sudo gpasswd -R

Set A User As An Administrator

You can set users as administrators of a group. This allows the user to add and remove users from a particular group as well as change the password

To do this run the following command:

sudo gpasswd -A tom accounts

How To Remove A Group Password

You can remove the password from a group by using the following command:

sudo gpasswd -r accounts

How To Delete A User From The Group

To delete a user from the group run the following command:

sudo gpassword -d tom accounts

How To Give A Group Read, Write And Execute Permissions On A File Or Folder

Up until now users within the accounts group have access to the accounts folder but they can really do anything because they only have read and execute permissions.

To provide write permissions to the group you can run the following command:

sudo chmod g+w accounts

Summary

This guide has introduced a few commands to help you to set up permissions on your Linux system. You can also use the useradd command to set up users and group users.