groupadd Command : How to Create Groups in Linux

In this guide, you will learn how to create groups in Linux using the groupadd command.

Let’s first understand What is Group and What is the use of Group?

I will explain this topic to you with the help of an example.

Suppose you are a Linux administrator and are managing multiple users.

If some permission or policy is to be enforced for users, we cannot manually apply the permission to each user and this is not the right way to do it.

Therefore groups are used in such situations.

Create a new group and add users to the group to whom you want to apply permissions.

Now you can apply permissions directly to that group and in this way, all members of that group will get that permission.

There are two types of groups in the Linux operating system.

  • Primary Group : When we create a new user, Linux automatically creates a primary group for that user. If you want, you can make any group the primary group of the user.

    In Linux, the user must be a member of a primary group.

    You may wonder why it is mandatory. Let me explain to you.

    Suppose a user is not a member of any primary group, in that situation if he creates a new file, which group will the file belong to?

    Apparently, you would not want a random group to be the owner of that file.

    Hence the user must be a member of a primary group.
  • Secondary Group also known as Supplementary Group : A user can be a member of multiple secondary groups but up to a max of 15.

Key features of groupadd command:

  • Create a New Group (both regular and system Group)
  • Can create a new Group with a Specific Group ID (GID)
  • Create a group with a non-unique GID
  • Force the command to Ignore already exists Message
  • Create a group with Unencrypted Password
  • Override the default values of /etc/login.defs

First of all, let’s focus on some of the most important options that we can use with the groupadd.

OptionsExplanation
-f, --forceExit successfully if the group already exists and cancel -g if the GID is already used.
-g, --gid GIDUse GID for the new group
-K, --key KEY=VALUEOverride /etc/login.defs defaults
-o, --non-uniqueAllow to create groups with duplicate (non-unique) GID
-p, --password PASSWORDCreate a group with Unencrypted Password
-r, --systemCreate a system account
--helpDisplay help page of groupadd Command.

Syntax:

You must follow the syntax given below to use the groupadd command.

groupadd [options] group

1. How to Create a New Group

To create a new group in Linux you can run the groupadd command.

Note: You have to run the groupadd command as a root user because upon running this command, it makes changes to the following important configuration files whose owner is root.

  • /etc/group
  • /etc/gshadow

Here in this example, I am creating a group named group1.

$ sudo groupadd group1

Run the following command to check whether a new group is created.

$ cat /etc/group | grep group1
group1:x:1001:

As soon as the group is successfully created, some entries occur in the /etc/group and /etc/gshadow files, which is very important for any administrator to understand.

Let’s try to understand both these files.

Explaining /etc/group:

As I told you, each group’s entry resides in the /etc/group and /etc/gshadow files.

A group’s entry in the /etc/group file is something like this.

It contains the four most important pieces of information related to the group and they are separated by a colon(:).

group1:x:1001:helpdesk
  1. group1 – Group Name
  2. x – Encrypted Password
  3. 1001 – Group ID (GID)
  4. helpdesk – Member of the Group
/etc/group file
Explaining /etc/group file

Explaining /etc/gshadow:

Similarly, the group’s entry in the /etc/gshadow file is something like this.

It contains the four most important pieces of information related to the group and group administrators. Each detail is separated by a colon(:).

group1:!:bmsahu:helpdesk
  1. group1 – Group Name
  2. ! – Encrypted Password but because there is an exclamation mark (!) which indicates that no password has been set for this group.
  3. bmsahu – Group Administrator
  4. helpdesk – Member of the Group
/etc/gshadow file
Explaining /etc/gshadow file

2. Create a system group

To create a system group pass the -r to groupadd command.

$ sudo groupadd -r dbadmins

Whether you create a system Group or a regular Group for everyone login.defs have a defined ID range.

The GID range defined in /etc/login.defs for system groups is: 100999.

This means that when we create a new system group, the GID assigned to it will be from this range(100-999).

In this example, I created a system group named dbadmins. Type the following command to check the GID.

$ cat /etc/group | grep dbadmins
dbadmins:x:999:

As you can see, it is GID 999 assigned to the group which is within the defined range.

3. Create a new Group with a Specific Group ID (GID)

In Linux by default, each group is assigned a unique numeric value called GID(Group Identifier).

login.defs is one of those files from which the groupadd command takes inputs to create new groups.

  • Which GID value to assign to a Group.
  • What is the Maximum and Minimum GID limits?

This is all defined in the /etc/login.defs file.

Have a look at the following details taken from the /etc/login.defs file.

# Min/max values for automatic gid selection in groupadd
#
GID_MIN			 1000
GID_MAX			60000
# System accounts
#SYS_GID_MIN		  100
#SYS_GID_MAX		  999

So as soon as we run the groupadd command to create a new group, the next available GID is assigned by taking the reference from login.defs.

So to create a new group with a specific Group ID(GID) pass the -g option to the groupadd command.

Here I am creating a group named group2 with GID 1015.

$ sudo groupadd -g 1015 group2

Type the following command to verify that the GID is set correctly.

$ cat /etc/group | grep group2
group2:x:1015:

4. How to Create a group with a non-unique GID

You can create multiple groups with non-unique GID’s(Duplicate GID’s). To do this you can use the -o option with the groupadd command.

I have a group called group2 whose group id is 1015.

$ cat /etc/group | grep group2
group2:x:1015:

Now I will create a new group named group3 with the same Group ID.

$ sudo groupadd -o -g 1015 group3

Type the following command to check the result.

$ cat /etc/group | grep group3
group3:x:1015:

As you can see there are two groups with the same Group ID.

$ sudo cat /etc/group | grep 1015 
group2:x:1015:
group3:x:1015:

5. Ignore already exists Message

There is already a group called dbadmins.

$ cat /etc/group | grep dbadmins
dbadmins:x:1017:

If I create another group with the same name, you will get this error.

$ sudo groupadd dbadmins
groupadd: group 'dbadmins' already exists

This error message can be ignored. to do this pass the -f option to the groupadd command.

$ sudo groupadd -f dbadmins

Note: This command will not create a new group and can be used only to ignore this error message.

6. Create a group with Unencrypted Password

Type the following command to create a new group with an unencrypted password.

In this example, I am creating a group whose name is group4 and password is [email protected].

$ sudo groupadd -p [email protected] group4

The group’s password is stored in the /etc/gshadow file.

$ sudo cat /etc/gshadow | grep group4
group4:[email protected]::

Caution: This option is not recommended.

7. How to override the default values of /etc/login.defs

As I told you earlier, the login.defs file has maximum and minimum ID ranges of the group.

And when we create a new group, the next available GID is assigned according to login.defs.

But if you want, you can set a custom GID range for the new group.

For example I want to create a group named developers whose GID should be in one of the 2000 to 2005 range.

With the help of the following command we can complete this task.

$ sudo groupadd -K GID_MIN=2000 -K GID_MAX=2005 developers

Type the following command to check the result.

$ cat /etc/group | grep developers
developers:x:2000:

Note: You can use the -K option multiple times in one command.

8. Help/Manual page access

Use the following commands to access the Manual Page/Help Page of groupadd command.

$ groupadd --help
$ man groupadd

You can visit at following websites to get more information on groupadd.

Conclusion

I hope you have learned something from this article.

I have tried my best to include all the features of groupadd command in this guide.

Now I’d like to hear your thoughts.

Was this guide useful to you?

Or maybe you have some queries.

Have I not included any command in this guide?

Leave a comment below.

Here are a few other hand-picked guides for you to read next:

Leave a Comment