/etc/passwd shows user in a group, but /etc/group does not
I want to verify that the user account filesender_1 is a member of the group valid_senders.
When I look at /etc/group, filesender_1 is not there:
valid_senders:x:12345:production_1
I read this as "production_1 is the only member of the group valid_senders, whose group id is 12345."
However:
When I look at /etc/passwd, the group id for valid_senders is listed for filesender_1 ...
filesender_1:x:1515:12345:filesender_1:/local/home/filesender_1:/bin/sh
... so I know valid_senders is the primary group for filesender_1.
Is this a surprising discrepancy, or is it normal for /etc/group to list only members where the group is secondary?
Yes, this discrepancy is normal. I've seen it so many times I stopped looking at the /etc/passwd
and /etc/group
files and instead started looking at group memberships the way they should be looked at: getent group <groupname>
and groups <username>
.
Yes, there is a difference between the primary and supplementary groups. The primary group is the main one shown in /etc/passwd
, that a user is in upon login. For a user to be in a supplementary group, their user name is added to the group entry in /etc/group
. If you use id -a <user>
, it will show the primary and the supplementary groups. The supplementary groups give access to resources, but any new files are created with primary group.
You can change a users currently active primary group using the newgrp
command.
It is not necessary for a user to have the primary group also be a secondary group. All it will do is reduce the number of secondary groups a user can be part of. Traditionally a user was limited to 32 secondary groups, but that may have changed in recent years.
usermod
can set a users primary and supplementary groups in one command. Using a configuration management tool like puppet can also do that without having to worry about what specific command is necessary on different types of unixes.
There exists a program called members you can install on most linux distros that lists the actual members of a group whether it is their primary group or a supplementary group.
Typically, when a user is created without specifying a group with -g or --gid, the default behavior is to set their primary group as their username, and this gid is not placed in the /etc/group file. Hence files and directories created by the user joe will have ownership joe:joe. But you will not find group 'joe' in the /etc/group file.
If you add the user joe to group 'students', then running
getent group students
will show joe in the list of users in group students.
Running the program
members <groupname>
on a group will show users who are members, either primary or supplementary, of groupname.