LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-18-2019, 01:03 PM   #1
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 3,845
Blog Entries: 3

Rep: Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815
Changing all groups when renaming an account


If I rename an account, how do I get all the groups it is a member of to update with the new name?

If I use usermod it changes the account name just fine but leaves the group memberships untouched.
Below, the account foobar08 is a member of baz before it is renamed.
After it is renamed, the defunct name foobar08 stays in baz and foobar16 is not a member.

Code:
$ awk -F: '$1=="baz"' /etc/group
baz:foobar01,foobar02,foobar04,foobar08

$ groups foobar08
foobar08 : foobar08 baz

$ sudo usermod --login foobar16 foobar08

$ awk -F: '$1=="baz"' /etc/group
baz:foobar01,foobar02,foobar04,foobar08

$ groups foobar16
foobar16 : foobar08
This kind of task has to be a solved problem, I would hope. Or else should I just zap /etc/groups with sed or something else done manually.
 
Old 03-18-2019, 03:02 PM   #2
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,621
Blog Entries: 15

Rep: Reputation: 1541Reputation: 1541Reputation: 1541Reputation: 1541Reputation: 1541Reputation: 1541Reputation: 1541Reputation: 1541Reputation: 1541Reputation: 1541Reputation: 1541
Presumably these are supplemental group memberships as the primary group's GID is stored in /etc/passwd so the user's name doesn't appear in /etc/group for that group.

You use 'usermod -G GROUP1[,GROUP2,...[,GROUPN]]] USER' to add a user to one or more supplemental groups. You either have to list all of them with -G or use the -a to append. You can remove a user from all groups by specifying 'usermod -G "" USER'

Since the user isn't in /etc/passwd any longer you'd have to manually edit /etc/group to remove the old user name (or change it to the new user name since you're editing anyway). You could substitute with sed.
 
1 members found this post helpful.
Old 03-19-2019, 12:32 AM   #3
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 3,845

Original Poster
Blog Entries: 3

Rep: Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815
Yes, these are supplemental groups but the same problem applies to the primary group as well. The utility usermod will change the account name but not the name of the group. See the example above about that.

I've actually been modifying accounts using a perl script when I noticed all that. There are a couple options for doing a search and destroy on group names. I wonder which of them is the least risky.
 
Old 03-19-2019, 08:28 AM   #4
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,621
Blog Entries: 15

Rep: Reputation: 1541Reputation: 1541Reputation: 1541Reputation: 1541Reputation: 1541Reputation: 1541Reputation: 1541Reputation: 1541Reputation: 1541Reputation: 1541Reputation: 1541
So you're using a RedHat style setup where a group with same name as user is created at same time as user to be the primary? I usually use the "-n" flag of useradd to prevent that then use -g <gid> to add it to a more global group such as "users" or "developers". It's never been clear to me why RedHat thinks every user should have a unique group. A group of one isn't really a group IMHO.

You can use groupmod to change the name of a group. Since the GID of the group is stored in /etc/passwd you don't have to change that group name for the user itself. Typically for such user specific groups the user isn't actually listed as a member of the group as it is the GID field in /etc/passwd that makes them a member.

P.S. You'd want to use groupmod for the rename of the group because that will also update gshadow. It is, however, safe to modify the members of a group by direct edit.

Last edited by MensaWater; 03-19-2019 at 08:48 AM.
 
Old 03-30-2019, 12:11 PM   #5
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 7
Posts: 949

Rep: Reputation: 75
Ubuntu does the same thing (and I'm guessing this is inherited from Debian, in any case). I guess it might be useful when you easily want to give a user the same rights (in principle) as another's, and you just add it to that group. It would be harder to do that by adding a new common group, as, by default, every newly created file is going to have as a group owner this homonymous primary group.

Now that I think about it, that's not exactly right, as you're going to have too many cases where only the user and not the primary group it belongs to has access to certain resources. (you'd solve that in sudoers, for instance)

Last edited by vincix; 03-30-2019 at 12:21 PM.
 
Old 04-01-2019, 06:12 AM   #6
tyler2016
Member
 
Registered: Sep 2018
Distribution: Debian, CentOS, FreeBSD
Posts: 135

Rep: Reputation: Disabled
Assuming you are using bash and /etc/group:

Code:
# sed -E -e 's/(:|,)(OLDNAME)(,?)/\1NEWNAME\3/g' -e 's/^OLDNAME:/NEWNAME:/g' /etc/group > /tmp/group_check
# cat /tmp/group_check
# cp /etc/group /etc/group.$(date '+%Y%m%D-%H%M')
# cat /tmp/group_check > /etc/group
# rm /tmp/group_check
 
Old 04-01-2019, 06:18 AM   #7
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 3,845

Original Poster
Blog Entries: 3

Rep: Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815
I've found I can do it in two steps, first with usermod and then tidying up with groupmod.
 
Old 04-01-2019, 11:31 AM   #8
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,621
Blog Entries: 15

Rep: Reputation: 1541Reputation: 1541Reputation: 1541Reputation: 1541Reputation: 1541Reputation: 1541Reputation: 1541Reputation: 1541Reputation: 1541Reputation: 1541Reputation: 1541
Deleted

Last edited by MensaWater; 04-01-2019 at 11:38 AM.
 
Old 04-01-2019, 11:39 AM   #9
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 3,845

Original Poster
Blog Entries: 3

Rep: Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815
Quote:
Originally Posted by MensaWater View Post
Gee why didn't I think of that? Oh wait...
You did, or at least something similar to the final result. However, I tried several different major types of user+group manipulations, including other languages, with many variations on each major type.

What I found was somewhat simpler. The utility usermod takes care of most of the changes except the group named after the user. A quick cleanup with usermod takes care of that remaining group.

Edit: specifically only these were needed:

Code:
usermod --login $new_name --home $new_home $old_name
groupmod --new-name $new_name $old_name

Last edited by Turbocapitalist; 04-01-2019 at 01:26 PM.
 
1 members found this post helpful.
  


Reply

Tags
groups, usermod


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix: forward all account email within domain to another email account? 18Googol2 Linux - Software 3 03-04-2011 01:10 PM
[SOLVED] Renaming a folder which is default folder for FTP account rjo98 Linux - Newbie 6 02-11-2011 09:30 AM
invalid group id redhat linux as 5 - all groups in group file are invalid groups nlong1 Red Hat 1 02-15-2009 03:43 AM
is it legitimate and allowed and can be done to make another user account set uid and gid to null 0 to make another root account with different name and possibly not damage the debian system creating and using that new account BenJoBoy Linux - Newbie 12 01-29-2006 10:02 AM
renaming root account nuttyvishal4u Linux - Newbie 2 06-12-2003 07:57 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:47 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration