/etc/passwd shows user in a group, but /etc/group does not

linux groups passwd

I want to verify that the user account filesender_1 is a member of the group valid_senders.

When I look at /etc/group, filesender_1 is not there:

valid_senders:x:12345:production_1

I read this as "production_1 is the only member of the group valid_senders, whose group id is 12345."

However:

When I look at /etc/passwd, the group id for valid_senders is listed for filesender_1 ...

filesender_1:x:1515:12345:filesender_1:/local/home/filesender_1:/bin/sh

... so I know valid_senders is the primary group for filesender_1.

Is this a surprising discrepancy, or is it normal for /etc/group to list only members where the group is secondary?


Yes, this discrepancy is normal. I've seen it so many times I stopped looking at the /etc/passwd and /etc/group files and instead started looking at group memberships the way they should be looked at: getent group <groupname> and groups <username>.


Yes, there is a difference between the primary and supplementary groups. The primary group is the main one shown in /etc/passwd, that a user is in upon login. For a user to be in a supplementary group, their user name is added to the group entry in /etc/group. If you use id -a <user>, it will show the primary and the supplementary groups. The supplementary groups give access to resources, but any new files are created with primary group.

You can change a users currently active primary group using the newgrp command.

It is not necessary for a user to have the primary group also be a secondary group. All it will do is reduce the number of secondary groups a user can be part of. Traditionally a user was limited to 32 secondary groups, but that may have changed in recent years.

usermod can set a users primary and supplementary groups in one command. Using a configuration management tool like puppet can also do that without having to worry about what specific command is necessary on different types of unixes.


There exists a program called members you can install on most linux distros that lists the actual members of a group whether it is their primary group or a supplementary group.

Typically, when a user is created without specifying a group with -g or --gid, the default behavior is to set their primary group as their username, and this gid is not placed in the /etc/group file. Hence files and directories created by the user joe will have ownership joe:joe. But you will not find group 'joe' in the /etc/group file.

If you add the user joe to group 'students', then running 

getent group students

will show joe in the list of users in group students.

Running the program 

members <groupname>

on a group will show users who are members, either primary or supplementary, of groupname.

Related

SSH: Safe for client to host private RSA key?
Linux SSH Timeout [closed]
Connect to switch's console port through ethernet patch panel
Exiting SSH sessions suddenly killing Apache
Vmware host time drift
What is LDAP?
Remote Desktop 100% through browser?
What are the main differences between SRV records and TXT records?
Apache mod_remoteip and access logs
Use Powershell to start a GUI program on a remote machine
Why are users created on the domain controller always part of the domain?
Which tool should I trust, mii-tool and ethtool don't show me the same values