How To Create Groups In Linux

A group in Linux is a way to bunch users together so that they’re easier to manage in one place. The easiest way to demonstrate the power of groups is to show how we can manage their permissions in one go. But you can do more than just manage permissions. With special “control groups”, you can also control their access to system resources like CPU cycles and disk storage.

Below, we’ll first see how to create groups and add users, and then see how we can use groups to ease system administration.

Creating Groups in Linux

To create a group in Linux, we just use the command:

sudo groupadd projectteam

The above command creates a group called “projectteam” and as the name indicates, we want to include all the members of a given project in it. For now, that’s all you need to do to create a group in Linux. It’s empty since we haven’t added any users to the list.

Adding Users to the Group

Now that we’ve created the container, we should start adding users to the group. It helps if you have a list of all existing users to start with, so you don’t have to worry about things like spelling mistakes, or remembering what the usernames are of your team members. To do this, use the following command:

awk -F: '$3 >= 1000 {print $1}' /etc/passwd

The “/etc/passwd” directory contains a list of all users on the system, but most of them are system accounts and not real users. So to extract the list of real users, we use the awk command to extract the third field of the awk command and show it if the User ID is greater than 1000. Generally, User IDs in Linux are reserved for real users, so this is an easy filter to set. You can get an idea of how powerful the “awk” tool is for this purpose, which is why I wrote a separate article on how to use awk properly.

On my system, using the above command gives me the following:

I created a bunch of new users for this tutorial by using the command:

sudo useradd user1
sudo useradd user2
sudo useradd user3
sudo useradd user4
sudo useradd user5

To add these users to the new group, we use the following command:

sudo usermod -aG projectteam user1
sudo usermod -aG projectteam user2
sudo usermod -aG projectteam user3
sudo usermod -aG projectteam user4
sudo usermod -aG projectteam user5

The “usermod” command is the tool to add users to the group. The syntax is self-explanatory, except for the “-aG”. The “-a” flag means that we want to add the user to the group while retaining their membership in all other groups. It stands for “append”. Without this, when you assign a user to a group, all previous group memberships are revoked, which is not what we want.

The “-G” stands for “Group”, and it’s followed by the name of the group. Finally, we have the username at the end.

Once all these users are added to the group, we can see a group’s membership using the following command:

getent group projectteam

“getent” is a tool that allows us to access various system databases with a key. So in the above command, we’re accessing the “group” database using the group name as the database key. The output of the above command is:

While the output might be a bit strange, it’s easy to see that the five users we added to the group are indeed now a part of it.

Managing User Groups in Linux

To maintain a list of users in a group, we need to be able to remove them and verify their membership. Both are easy.

To verify the membership of a user in a group, use this:

groups user3

This will show you a list of groups of which “user3” is a member. Easy!

To remove a user from a group, we use the following:

sudo gpasswd -d user3 projectteam

This will give the message “Removing user user3 from group projectteam”.

Finally, you can delete the entire group using the command:

sudo groupdel projectteam

Assigning Permissions to Groups

The biggest benefit of a group is that you can assign permissions to a list of users without needing to make the changes to every user. Likewise, you can remove a user from a group and they lose all the permissions they obtained as a result of that group membership. A simple example would be the members of a project team, where you assign them access to a folder to them and only them.

Let’s see a simple example. Imagine we have a group – “projectteam” and the project files like in the following folder: /home/shared/project_docs. Here’s how we can make things work.

The first step is to change the group ownership of the directory and set it to our group:

sudo chown :projectteam /home/shared/project_docs

The above command will allow all members of “projectteam” to access the folder. The next step is to allow access to only this group:

sudo chmod 770 /home/shared/project_docs

The “770” permission set allows the owner and group to have read, write, and execute permissions but allows no other users to do anything else. In this way, you can have a folder that’s usable only by the members of a certain project.

Managing Resources Using Groups in Linux (Older Systems)

On older systems before systemd, you could use groups to manage system resources as well.

While most of the use-cases for groups involve managing permissions collectively, you can also use them to manage resources and restrict the CPU cycles or disk space that a group uses. However, this makes use of a different kind of group compared to regular groups. Specifically, it requires control groups. Let’s see how it works.

Let’s say we want to create a group and assign members to it such that you don’t want the members of that group using more than, say, 50% of the CPU cycles at any given time. Crucially, processes can be part of control groups directly, whereas regular groups, inherit the permissions of the user who created the process.

First, we need to install the cgroup-tools package, which isn’t installed on many Ubuntu installations by default.

sudo apt install cgroup-tools

Now we have access to the required tools. To create a control group for CPU activity, we use the following command:

sudo cgcreate -g cpu:/limitedgroup

When the group is created, we can use the following command to limit it to 50% of the CPU time:

sudo cgset -r cpu.shares=512 limitedgroup

Here, “512” is half of “1024”, which is how we specify CPU usage percentages.

Modern Systems Use systemd Instead

Unfortunately, the above commands don’t work for modern systems that use systemd. We can also use systemd to configure resource sharing, but we no longer do so via groups. Instead, systemd uses the concept of “slices”, which are separate. Since we’re only referring to groups here, I won’t talk about slices.

Conclusion

As you can see, managing groups in Linux is easy. Groups are used to manage permissions for a list of users simultaneously, making it easy to create shared folders that are accessible only to specific members.