Manage Linux user groups
This article covers the basics of managing user groups on a Linux® server.
Prerequisites
You need to have the following prerequisites:
- Basic understanding of Secure Shell (SSH®)
- Sudo or administrative access to your server
- A Cloud Server running supported versions of Linux
- Basic knowledge of file and directory permissions on a Linux server
User groups
User groups in Linux allow a group of users specific access or permissions to directories or files on
the Linux operating system. This access depends on the group permissions for the file or directory.
Note: For more information on directory and file permissions, see
Changing Linux permissions.
The following example shows how group permissions affect a user's access.
drwxr-xr-x. 5 root root 4096 Jun 9 11:09 .
drwxr-xr-x. 3 root root 4096 Jun 9 11:03 ..
drwxr-xr-x. 2 root apache 4096 Jun 9 11:04 files
-rw-rw-r--. 1 root apache 0 Jun 9 11:09 somefile
drwxr-xr-x. 2 root apache 4096 Jun 9 11:04 test
drwxr-xr-x. 2 testuser apache 4096 Jun 9 11:04 websitefiles
The permissions for this directory indicate:
- The
testuseruser is the owner of the directory websitefiles. The owner hasrwx,
which translates to read, write, and execute on the directory. - The user,
apache, hasr-x, which means that they can read and execute on the directories. - The user,
apache, hasrw-rw-r--on the file somefile, which means they can read and write
to the file.
Directory versus file permissions
There are a few differences between directory and file permissions to consider when adding a user to a
group. For a file, read, write, and execute mean precisely that. The user can perform those tasks on a
file. However, in a directory, the permissions have the following meanings:
- Read: Allows a user to list the contents of a directory.
- Write: Allows a user to create new files or directories within the directory.
- Execute: Allows a user to traverse into the directory.
Supplemental groups
When you need a user to share the permissions associated with a group, you should add the user to the
associated group.
Consider the testuser user permissions:
# id testuser
uid=1002(testuser) gid=1002(testuser) groups=1002(testuser)
This output shows that the user has only their default groups and has not been assigned to any supplemental groups.
To give testuser access to the files directory, the user must be part of the apache
user group.
Note: Some users also create a separate group for their web developers that includes the apache user
so that the functionality of Apache® on the directory is not disabled.
Example: Add a user to a group
This example adds testuser to the apache group.
Check the group
First, check the apache group before making changes:
# getent group apache
apache:x:48:
You can see that no other users are part of the apache group.
Add testuser to group
testuser to groupTo add testuser to the group, run the following command from the terminal:
usermod -aG apache testuser
The flags -aG translates to append and groups. The use of -a ensures that you add the user
to a group rather than replacing their default group.
Verify
Now, if you view the groups for apache, you see testuser in the group.
# getent group apache
apache:x:48:testuser
If you view testuser, you can see the user now has the apache group.
# id testuser
uid=1002(testuser) gid=1002(testuser) groups=1002(testuser),48(apache)
The test user now has access to the group-level permissions for directories and files with a group
ownership of apache.
Syntax to add users to groups
Use the same process to add users to other groups with the following command:
usermod -aG <group> <user>
You can also add the user to multiple groups at once:
usermod -aG <group1>,<group2>,etc <user>
As long as the group to which you add the user has the appropriate permissions for the directory they
need to access, this operation gives the user the access they need to manage the files and directories.
Updated 5 months ago