If I rename an account, how do I get all the groups it is a member of to update with the new name?

If I use usermod it changes the account name just fine but leaves the group memberships untouched.
Below, the account foobar08 is a member of baz before it is renamed.
After it is renamed, the defunct name foobar08 stays in baz and foobar16 is not a member.

This kind of task has to be a solved problem, I would hope. Or else should I just zap /etc/groups with sed or something else done manually.

Presumably these are supplemental group memberships as the primary group's GID is stored in /etc/passwd so the user's name doesn't appear in /etc/group for that group.

You use 'usermod -G GROUP1[,GROUP2,...[,GROUPN]]] USER' to add a user to one or more supplemental groups. You either have to list all of them with -G or use the -a to append. You can remove a user from all groups by specifying 'usermod -G "" USER'

Since the user isn't in /etc/passwd any longer you'd have to manually edit /etc/group to remove the old user name (or change it to the new user name since you're editing anyway). You could substitute with sed.

1 members found this post helpful.

Yes, these are supplemental groups but the same problem applies to the primary group as well. The utility usermod will change the account name but not the name of the group. See the example above about that.

I've actually been modifying accounts using a perl script when I noticed all that. There are a couple options for doing a search and destroy on group names. I wonder which of them is the least risky.

So you're using a RedHat style setup where a group with same name as user is created at same time as user to be the primary? I usually use the "-n" flag of useradd to prevent that then use -g <gid> to add it to a more global group such as "users" or "developers". It's never been clear to me why RedHat thinks every user should have a unique group. A group of one isn't really a group IMHO.

You can use groupmod to change the name of a group. Since the GID of the group is stored in /etc/passwd you don't have to change that group name for the user itself. Typically for such user specific groups the user isn't actually listed as a member of the group as it is the GID field in /etc/passwd that makes them a member.

P.S. You'd want to use groupmod for the rename of the group because that will also update gshadow. It is, however, safe to modify the members of a group by direct edit.

Ubuntu does the same thing (and I'm guessing this is inherited from Debian, in any case). I guess it might be useful when you easily want to give a user the same rights (in principle) as another's, and you just add it to that group. It would be harder to do that by adding a new common group, as, by default, every newly created file is going to have as a group owner this homonymous primary group.

Now that I think about it, that's not exactly right, as you're going to have too many cases where only the user and not the primary group it belongs to has access to certain resources. (you'd solve that in sudoers, for instance)

Assuming you are using bash and /etc/group:

I've found I can do it in two steps, first with usermod and then tidying up with groupmod.

Deleted

You did, or at least something similar to the final result. However, I tried several different major types of user+group manipulations, including other languages, with many variations on each major type.

What I found was somewhat simpler. The utility usermod takes care of most of the changes except the group named after the user. A quick cleanup with usermod takes care of that remaining group.

Edit: specifically only these were needed:

1 members found this post helpful.