February 2000

Group Management Utilities

UNIX Systems demand some form of information partitioning, as does any multi-user Operating System. There are many management tools to help out administrators, however, there are also the classic command line tools for managing systems, specifically, managing groups of users.

The main tools one can use to manage groups are:

  • groupadd
  • groupmod
  • groupdel

Within the context of this column, all three will be examined followed by a set of examples.

The Commands and Utilities

The next section will take a close look at the syntax of each command and utility.

groupadd

Adding a group is relatively simple but does have some rules to follow, first, the syntax:

groupadd -g gid -o group

The -g specifies the group number, the rules of thumb here are:

  • The gid should be greater than 99 (as 0-99 are reserved for the system)
  • The gid cannot be a negative number

Also, the gid must be unique unless the -o option is specified.

Following is some sample syntax from the example at the end of the column:

groupadd -g 201 ap

groupmod

Another relatively straightforward command, the syntax for groupmod is:

groupmod -g gid -o -n group-name group

The same restrictions for groupadd also apply to groupmod. The -n option specifies that the named group is to be changed to group-name. If this is a little fuzzy, do not worry it will be addressed in the example section of this column.

Following is some sample syntax from the example at the end of the column:

groupmod -g 204 apr ap

groupdel

The most straightforward of the three is groupdel. The syntax is pretty basic:

groupdel group

Perhaps basic was an understatement? It removes the group ID from the system - period. There is a catch to this that will be discussed in the example section.

Following is some sample syntax from the example at the end of the column:

groupdel ad

An Example Group Management Session

For our examples, let us say we have the following scenario:

A New Group called ap is to be installed, the number is not important, however, after installing the group, it is decided that ap is merging with ar and the ad group is being removed.

The first thing we will do is create the new group ap:

groupadd -g 201 ap

Then we are told that ap is merging with ar, the new group is going to be apr. The command syntax speaks for itself, we could take the following steps to make this happen:

groupmod -g 204 apr ap

then

groupmod -g -o 204 apr ar

First we modified the ap group to become the apr group with a different gid. Next we added the ar group to apr but had to use the -o option to override the command and force the gid of the apr group to be assigned to the former ar group. Now, why would we want to switch the gid? Why not just use one from either of the groups? I do this out of a habit to make sure no group has files that are unassigned lying around. After a certain period of time I will use the gid from ar and ap again.

Finally the last part of the scenario, the ad group is being removed from this system and going to another one. Should we just?

groupdel ad

I wouldn't, here is why, any files lying around that belonged to them will no longer have a correct gid and as such when you perform long lists of files, numbers pop up instead of the group name. I prefer to keep a specific group around for assigning possible strays. The group files might have been turned over to apr.

High level tools still have a place

For large infrastructures, you need something a bit more advanced than the tools this column has described. Managing upwards of a couple of thousand users can become somewhat difficult, but, for single system-wide group changes, the tools mentioned in this column fit the bill.

Previous: User Management Commands