Charly's Column – User Groups

Most people know that every user on a Linux system is also a member of at least one user group. Today we want to look into the three most frequently asked questions about groups: Which groups exist, how many members does a group have and who are those members, and to what groups does a specific user belong?

First off, let's find out which groups exist on our system. There are several ways to do this. One of them is to use the groups command without further parameters; another one is provided by compgen -g. The getent group (Listing 1, line 1) and cat /etc/group commands also return the same result, with some additional information, including the group password. There is usually an x here, which means that /etc/gshadow takes care of that. This is followed by the numeric group ID and a comma-separated list of members.

01 $ getent group
02 root:x:0:
03 daemon:x:1:
04 sys:x:3:
05 admin:x:4:syslog,charly
06 [...]
07 $ sudo apt install libuser
08 $ sudo libuser-lid -g adm
09   syslog(uid=104)
10   charly(uid=1000)
11 $ groups charly
12 charly : charly adm cdrom sudo dip plugdev lxd lpadmin sambashare
13 $ id charly
14 uid=1000(charly) gid=1000(charly) groups=1000(charly),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
15 $ grep charly /etc/group | awk -F: '{ print $1 }'
16 adm
17 cdrom
18 sudo
19 dip
20 plugdev
21 lxd
22 charly
23 lpadmin
24 sambashare
25 $ grep charly /etc/group | cut -f1 -d:
26 [...]

The next thing is to find out which members belong to a group. In principle, we have already done this, because the getent group and cat /etc/group commands provide this information as well.

Often, however, you need the information to process it in a program. It would be good if you didn't have to disassemble the strings using awk or cut. A list with one username per line would be far easier to handle. To generate such a list, I first install the libuser package (line 7). Now I have the libuser-lid command at my disposal, but I have to call it with sudo (line 8). The numerical user ID also appears in the output of the command. If desired, this can be disabled with the -n parameter.

Finally, the whole thing in reverse gear: Now I want to know the groups to which a certain user belongs, for example charly. This can be done quickly and easily with the groups charly command (line 11). If you need more information, the id charly command (line 13) will provide it. This output also shows the numerical IDs.

Here, too, a list would be the object of desire, with one group name per line. I don't know of a native command for this, but awk helps reliably (line 15) and returns the desired listing. If the awk syntax seems too unwieldy, just use cut instead (line 25) for identical results. Many roads lead to Rome here.

The Author

Charly Kühnast manages Unix systems in a data center in the Lower Rhine region of Germany. His responsibilities include ensuring the security and availability of firewalls and the DMZ.