What is the purpose of the group named "users"?

On my Ubuntu a group "users" with id 100 exists. But it has no members at all. My questions are:

  • What is the purpose of this group?
  • Should each user of the system become a member of this group?

Ubuntu is based on Debian, and the users follow the same philosophy. I therefor quote Debians explanation of System Groups:

users: While Debian systems use the private user group system by default (each user has their own group), some prefer to use a more traditional group system, in which each user is a member of this group.

It's not used on Ubuntu (and Debian), but it's kept there in case administrators of the system wish to use it. It effectively ensures that it will have the same GID on all systems, which is not the case if it is created locally.

It is not necessary to make users member of users on a standard Ubuntu installation. In some cases and settings it may be convenient to have all users belong to a common usergroup.


Because the "user id" concept was originally intended for accounting, more than security, and not every "user" account means something that can potentially eat a cheeseburger. The group "users" is intended to designate user identities that do, in fact, map to real people. As a simple example, on many UNIX-based graphical workstations, the login screen will not show every user account in /etc/passwd, but instead only those in the "users" group (or perhaps some even tighter compartment).

Consider the Apache Web Server. On many systems, this runs as the "user" 'httpd'. However, obviously, we don't expect anyone to log in as this user. In the classic accounting sense, we don't want to bill any normal user for the CPU time used by the system web server. In the later security sense, the web server shouldn't be able to do the complete set of things that a logged in user can.

These days, we have SELINUX and access control lists and any number of other concepts that give us more flexible ways to lock things down. But the basic idea is still to make something user-like that has fewer-- or at least, different-- permissions than a logged in user.

Now, on to the next part of your question: why is the users group blank?

Because you have your very own group instead. If you add an account for your friend to that machine, they will get their own group, too. However, they won't get any special permissions you've added to your own group. With the "users" group approach, assuming they were a member of that group, all of your enhancements and restrictions to that group would come along for the ride for the new account.

For a practical example, if you install Oracle VirtualBox, you will probably have to add a group "vboxusers" that will give you access to the special devices in /dev that let VirtualBox accelerate certain devices and pass through others. Likewise for Wireshark, if you use that.

For systems that create new groups for each user, there is typically a template that is used for the new group.