[SOLVED] Changing all groups when renaming an account
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
If I rename an account, how do I get all the groups it is a member of to update with the new name?
If I use usermod it changes the account name just fine but leaves the group memberships untouched.
Below, the account foobar08 is a member of baz before it is renamed.
After it is renamed, the defunct name foobar08 stays in baz and foobar16 is not a member.
Presumably these are supplemental group memberships as the primary group's GID is stored in /etc/passwd so the user's name doesn't appear in /etc/group for that group.
You use 'usermod -G GROUP1[,GROUP2,...[,GROUPN]]] USER' to add a user to one or more supplemental groups. You either have to list all of them with -G or use the -a to append. You can remove a user from all groups by specifying 'usermod -G "" USER'
Since the user isn't in /etc/passwd any longer you'd have to manually edit /etc/group to remove the old user name (or change it to the new user name since you're editing anyway). You could substitute with sed.
Yes, these are supplemental groups but the same problem applies to the primary group as well. The utility usermod will change the account name but not the name of the group. See the example above about that.
I've actually been modifying accounts using a perl script when I noticed all that. There are a couple options for doing a search and destroy on group names. I wonder which of them is the least risky.
So you're using a RedHat style setup where a group with same name as user is created at same time as user to be the primary? I usually use the "-n" flag of useradd to prevent that then use -g <gid> to add it to a more global group such as "users" or "developers". It's never been clear to me why RedHat thinks every user should have a unique group. A group of one isn't really a group IMHO.
You can use groupmod to change the name of a group. Since the GID of the group is stored in /etc/passwd you don't have to change that group name for the user itself. Typically for such user specific groups the user isn't actually listed as a member of the group as it is the GID field in /etc/passwd that makes them a member.
P.S. You'd want to use groupmod for the rename of the group because that will also update gshadow. It is, however, safe to modify the members of a group by direct edit.
Last edited by MensaWater; 03-19-2019 at 08:48 AM.
Ubuntu does the same thing (and I'm guessing this is inherited from Debian, in any case). I guess it might be useful when you easily want to give a user the same rights (in principle) as another's, and you just add it to that group. It would be harder to do that by adding a new common group, as, by default, every newly created file is going to have as a group owner this homonymous primary group.
Now that I think about it, that's not exactly right, as you're going to have too many cases where only the user and not the primary group it belongs to has access to certain resources. (you'd solve that in sudoers, for instance)
You did, or at least something similar to the final result. However, I tried several different major types of user+group manipulations, including other languages, with many variations on each major type.
What I found was somewhat simpler. The utility usermod takes care of most of the changes except the group named after the user. A quick cleanup with usermod takes care of that remaining group.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.