Quick Links
On Linux, files have three sets of permissions.
One set is for the file’s group.
Before you allocate a file to a group, you may want to check who the group members are.
fatmawati achmad zaenuri/Shutterstock.com
In the case of a directory, the execute action equates to being able to
into the directory.
The default group for a file or directory is the default group of the owner.
That’s usuallythe person who created it.
The members of each team can beadded to a suitably named group, to aid collaboration.
Users can be in many groups at once.
It’s a simple but robust scheme.
There are different ways to do this.
The two most-frequently recommended methods are problematic.
Each line has four fields.
This isn’t our task at hand.
But it is instructive for us to take a look.
The entries that contain the string “dave” are listed for us.
And tucked away amongst them is a sign that things might not be as simple as we thought.
This is their primary group.
Any other groups they are added to are known as secondary groups.
The problem is that users are not listed as members of their primary groups.
Of course, system administrators can change the primary group of any user to that of any other group.
That’s one issue.
The second issue is that the “/etc/group” file isn’t a single source of truth.
By only looking in one place, you might not be seeing the big picture.
In our test scenario, we created four groups for a development department.
They are:
We added people to these teams.
Some people are in more than one team.
At least, as many members as the “/etc/group” file knows about.
If we want to extract a single group, we can search usinggrep.
The caret “^” represents the start of a line.
This extracts the “devteam” entry from the file and lists all the group members.
The getent Command
Thegetentcommand checks multiple databases for user group information, not just “/etc/group.”
We’ll usegetentto show us the user groups.
Usinggetentwith thegroupoption produces—on this test machine—the same results as using the “/etc/group” file.
That’s because we’re not using LDAP or any other centralized naming service.
So there are no other sources forgetentto refer to.
It’s no surprise then, that the results tally with those from the “/etc/group” file.
Perhaps what we’re seeing really is the reality of the situation.
Maybe everything is straightforward and—on this computer—what you see is what you get?
Let’s reserve judgment on that.
Thegetentcommand can look at a single group for us.
We’ll look at the “devteam” group.
We get exactly the same results as before.
There is a way to dig deeper though.
Also, the command is calledlidon Fedora and Manjaro, but on Ubuntu, you better uselibuser-lid.
you might uselibuser-lidto display group information about groups or users.
To show the groups an individual is in, pass their user account name on the command line.
On Fedora and Manjaro remember to uselidinstead oflibuser-lid.
Lo and behold, a user called “francis” has appeared as a member of the list.
This is the first time we’ve seen him.
He isn’t listed in “/etc/group” andgetentdidn’t discover him either.
Let’s look at a few users with thegroupscommand.
It would appear there’s something different about the user “francis.”
Let’s use theidcommand and see what the UID and GIDs tell us.
User “abigail” has a UID of 1002, and a GID of 1002.
They are in three groups, one of which is called “abigail.”
It has a GID of 1002.
This is their default primary group.
Whichever one it was, onlylibuser-liddetected them and reported their presence in the “devteam” group.
The Devil’s in the Details
So it’s important to see the genuine details.
Related:How to Change User Data With chfn and usermod on Linux
