How to Add a User to a Group in Linux (With Examples)

Add a User to a Group in Linux

In this tutorial, we’ll examine adding users to groups. Bash shell commands are powerful tools for achieving specific needs. Groups are an effective way to share and protect information. File permissions in Linux allow you to set ownership by user rights, group rights, and global. It’s also a perfect way to maintain user permission to root.

Let’s dig into that.

Adding a user with a group (wheel)

You’ve on-boarded a new admin, and you need to make them an administrator on a file server. The useradd command is a simple and robust tool for adding users. It allows you to add a user and assign them to a group.
NAME
       useradd - create a new user or update default new user information

SYNOPSIS
       useradd [options] LOGIN

That’s the basics from the useradd man page, so let’s start from the top by adding our new user, Admin Bob, and Admin Jane.

Common options for luseradd

-c, --comment COMMENT
-G, --groups GROUP1[,GROUP2,...[,GROUPN]]]

So those are our two primary fields. Now let’s add Bob.

[root@linuxscrew ec2-user]# useradd -c "USA/CO/Denver Office" Admin.Bob

And let’s add Jane.

[root@linuxscrew ec2-user]# useradd -c "USA/CO/Denver Office" Admin.Jane -G wheel
Now, we know that Bob is an admin and will need administrative rights. But sometimes, you may not know, or you simply may have forgotten. So we’ll need to add a group to him later.
 
Jane is already added to wheel. The wheel group is a baked in group into most Linux systems. It is the default group that allows privilege escalation.
[Admin.Jane@linuxscrew ec2-user]$ sudo su

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for Admin.Jane: 
Sorry, try again.

Speaking of forgotten steps. Looks like we forgot to set a password. I do not recommend setting a password with the useradd command. Instead, remember to follow up with the passwd command. Passwd prompts with a secure terminal that won’t store in history. Or, you can use read -sp to store a password inline.

[root@linuxscrew ec2-user]# passwd Admin.Jane
Changing password for user Admin.Jane.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@linuxscrew ec2-user]# su Admin.Jane
[Admin.Jane@linuxscrew ec2-user]$ sudo su

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for Admin.Jane: 
[root@linuxscrew ec2-user]#

And there we go. One user added with a group, wheel. No group commands needed. If we needed to add Jane to multiple groups initially:

[root@linuxscrew ec2-user]# useradd Admin.Jane -G wheel,ec2-users
[root@linuxscrew ec2-user]# passwd Admin.Jane
[root@linuxscrew ec2-user]# su Admin.Jane
[Admin.Jane@linuxscrew ec2-user]$ groups
Admin.Jane wheel ec2-users
[Admin.Jane@linuxscrew ec2-user]$

And there we go. Admin.Jane belongs to her own user group, wheel for sudo access, and the ec2-users group.

But what about Bob? Since Bob was created without group access to wheel, we’ll need to use a different command.

Adding a user to a group

We added Bob as an Admin user without Admin rights. Let’s fix that with groupmems.

Common options for groupmems

SYNOPSIS
       groupmems -a user_name | -d user_name | [-g group_name] | -l | -p

OPTIONS
       The options which apply to the groupmems command are:

       -a, --add user_name
           Add an user to the group membership list.

           If the /etc/gshadow file exist, and the group has no entry in the /etc/gshadow file, a new entry will be created.

       -d, --delete user_name
           Delete a user from the group membership list.

           If the /etc/gshadow file exist, the user will be removed from the list of members and administrators of the group.

           If the /etc/gshadow file exist, and the group has no entry in the /etc/gshadow file, a new entry will be created.

       -g, --group group_name
           The superuser can specify which group membership list to modify.

       -h, --help
           Display help message and exit.

       -l, --list
           List the group membership list.

Let’s start with getting a list of members in the group, wheel.

[root@linuxscrew ec2-user]# getent group wheel
wheel:x:10:ec2-user,samberry,Admin.Steve,Admin.Jane

We know that Bob isn’t there. so let’s add Bob.

[root@linuxscrew ec2-user]# groupmems -a Admin.Bob -g wheel
[root@linuxscrew ec2-user]# groupmems -g wheel -l
ec2-user  samberry  Admin.Steve  Admin.Jane  Admin.Bob

There we go. Admin.Bob is now a member of wheel, and we verified by checking with the groupmems -l, –list, option.

Those are the basics of group management on Linux. For a home instance of Linux, likely you’ll see the default group as adm instead of wheel.

root@pop-os:/home/samuelberry# groupmems -g adm -l
syslog  samuelberry

If you’re curious, check your /etc/sudoers configuration file to find out which you have.

root@pop-os:/home/samuelberry# cat /etc/sudoers
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) ALL

[samberry@linuxscrew ec2-user]$ cat /etc/sudoers
## Allows people in group wheel to run all commands
%wheelALL=(ALL)ALL

## Same thing without a password
# %wheelALL=(ALL)NOPASSWD: ALL

You may have noticed, we added the users into an EC2 instance. Next week as part of user/group management I’ll walk through adding users to Linux instances via EC2.

SHARE:
nv-author-image

Samuel Berry

I'm a writer, in the sense that there are words written and things needing explaining. Years of schooling, running on twelve now, taught me one thing, I like taking the complicated down to complex. So, I'm writing about Linux. One of those things that starts as complicated, and after a few years turns into complex. Until the next new thing rolls out anyways. Working in IT, I learned advocating for your product is the only way to ensure adoption. Providing user manuals, pictures, diagrams, and everything else possible to our community. That's what builds the "user-friendly" experience. Not only design, but inclusion. Talk to me about Linux, I'm here to learn by teaching.

Leave a Reply

Your email address will not be published. Required fields are marked *