Home / server / Questions / 605812
Accepted
Thomas L Holaday
Asked: 2014-06-18 09:06:48 +0800 CST

/etc/passwd shows user in a group, but /etc/group does not

  • 772

I want to verify that the user account filesender_1 is a member of the group valid_senders.

When I look at /etc/group, filesender_1 is not there:

valid_senders:x:12345:production_1

I read this as "production_1 is the only member of the group valid_senders, whose group id is 12345."

However:

When I look at /etc/passwd, the group id for valid_senders is listed for filesender_1 ...

filesender_1:x:1515:12345:filesender_1:/local/home/filesender_1:/bin/sh

... so I know valid_senders is the primary group for filesender_1.

Is this a surprising discrepancy, or is it normal for /etc/group to list only members where the group is secondary?

linux

5 Answers

  1. Yes, there is a difference between the primary and supplementary groups. The primary group is the main one shown in /etc/passwd, that a user is in upon login. For a user to be in a supplementary group, their user name is added to the group entry in /etc/group. If you use id -a <user>, it will show the primary and the supplementary groups. The supplementary groups give access to resources, but any new files are created with primary group.

    You can change a users currently active primary group using the newgrp command.

    It is not necessary for a user to have the primary group also be a secondary group. All it will do is reduce the number of secondary groups a user can be part of. Traditionally a user was limited to 32 secondary groups, but that may have changed in recent years.

    usermod can set a users primary and supplementary groups in one command. Using a configuration management tool like puppet can also do that without having to worry about what specific command is necessary on different types of unixes.

    • 15
  2. Best Answer

    Yes, this discrepancy is normal. I've seen it so many times I stopped looking at the /etc/passwd and /etc/group files and instead started looking at group memberships the way they should be looked at: getent group <groupname> and groups <username>.

    • 13

  3. There exists a program called members you can install on most linux distros that lists the actual members of a group whether it is their primary group or a supplementary group.

    Typically, when a user is created without specifying a group with -g or --gid, the default behavior is to set their primary group as their username, and this gid is not placed in the /etc/group file. Hence files and directories created by the user joe will have ownership joe:joe. But you will not find group 'joe' in the /etc/group file.

    If you add the user joe to group 'students', then running 

    getent group students

    will show joe in the list of users in group students.

    Running the program 

    members <groupname>

    on a group will show users who are members, either primary or supplementary, of groupname.

    • 2

  4. Generally speaking, system administrators should add the user to their primary group's member list in /etc/group because the getpwent() family of system calls will remove duplicates when called. Programs aren't supposed to read /etc/group or /etc/passwd directly, they are supposed to use the system calls. All this has been true for at least 20 years now, and probably much longer.

    • 0

  5. You should use lid -g <group>'

    • -3