The Linux Group command: show a user's groups

Posted onbyBlockmyIP| Category:Linux terminal commands

Introduction

In Unix operating systems, permit management is based on the combination of users and groups. Each process, file or device has an associated owner (user) and a group that determines who can read, write or run. Knowing which groups a user belongs to is the first step to diagnose access problems, adjust privileges and maintain system security.

What exactly does the command do?groups?

The commandgroupsIt belongs to the set of basic utilities of GNU choreutils. Its function is to print on the standard output the list of groups to which a specified user belongs or, if no name is indicated, the user running the command. The output consists of names of groups separated by spaces, which facilitates their processing with tools such asawk, sedorcut.

Syntax and options

The simplest way is:

groups [user]

There are no long or short options that change your behavior; the command ignores any additional arguments beyond the user name. If more than one name is provided, it will show the list for each in separate lines.

Examples of daily use

  • See the current user groups:
    • groups
  • Consult other user groups, for examplejuan:
    • groups juan
  • Get the list in CSV format to facilitate your import to a spreadsheet:
    • groups juan | tr '' ',' '
  • Show multiple user groups at once:
    • groups juan ana carlos

Primary and supplementary groups

In Linux each user has aprimary group(also called login group) that is set in the corresponding field of the file/etc/passwd. In addition, it may belong to zero or moreAdditional groups, listed in/etc/group. The commandgroupsshows both the primary and the supplementary groups, without explicitly distinguishing them. To see only the primary group can be usedid -gn usuariowhileid -G usuariolist all the numerical IDs.

Where group information is stored

The fundamental files are:

  • /etc/passwd: contains one line per user; the fourth field is the ID of the primary group.
  • /etc/group: contains one line per group; the fourth field lists users who are additional members.
  • In environments with directory services such as NIS, LDAP or Samba, information can come from these repositories and is consulted bygetent.

To check where the information comes from, you can use:

getent group name _ of _ group

If the output comes from/etc/groupand also of LDAP,getentshow all the coincidences.

Combininggroupswith other commands

Althoughgroupsis sufficient for a quick view, often combined with other utilities to get more detail or to use in scripts:

  • id -nG usuarioreturns only the names of the groups, equivalent togroups usuariobut with more predictable format for programming.
  • groups usuario | wc -wtells how many groups the user has.
  • grep -E "^nombre_del_grupo:" /etc/groupshows the full line of the group in/etc/group.
  • In an audit script:
    • #! / bin / bashfor u in $(cut -d: -f1 / etc / passd); do echo -n "$or: "groups $u | tr '' ',' done

Modifying group membership

The commandgroupsonly shows information; to change it are used:

  • usermod -aG grupo usuario: adds the user to the indicated additional group (the modifier)-aensure that existing groups are not removed).
  • gpasswd -d usuario grupo: removes the user from the specified group.
  • newgrp grupo: starts a new shell with the group specified as an effective primary group, useful to test permissions without closing the session.

After runningusermodorgpasswd, the user should start a new login session (or usesu -) so that changes are visible ingroups.

Good practices and security considerations

  • Avoid assigning users to privileged groups such asroot, wheelorsudowithout a documented justification.
  • Review the output ofgroupsfor service accounts and ensure that they have only the necessary groups for their function.
  • Usegroupsin combination withsudo -lto see which commands a user can run according to their group membership.
  • In systems with external authentication, check that groups come from the expected source bygetent groupandid.
  • Document changes in group membership in a change log or by configuration management tools like Ansible or Puppet.

Common problem solution

  • The user does not see a group that should have:Check that you have started a new session after changing your membership; the changes do not apply to existing sessions.
  • Empty output or only display user name:You can indicate that the user does not have any additional group and its primary group is not shown due to a PAM configuration; useid -gnto confirm the primary group.
  • Discrepance betweengroupsandid: iddirectly consult the process credentials token, whilegroupsRead the text files; if network services such as LDAP are used, make sure the nscd daemon or sssd is updated.
  • Error message «user not found»:Check the spelling of the user name and confirm that it exists in/etc/passwdor in the configured directory.

Conclusion

The commandgroupsis an essential tool for any Linux system manager. Its simplicity allows you to quickly obtain a user's group list, which is essential for permit management, security audit and task automation. Combined with other utilities such asid, getentandusermod, is part of the basic set of commands that every professional must master to maintain a safe and efficient environment.

This work is under aCreative Commons License Attribution 4.0 International for Francesc Roig francesc @ vivaldi.net.

EnglishenEnglishEnglish
SpanishesSpanishEspañolEnglishenEnglishEnglish