Safely change primary group of a user in Linux

When it comes to user permission even a system administrator sometimes gets confused. No matter what linux training or administration training courses one has had one mistake and sever management can become a hell. Same holds true even for a Linux user at home. One has to be extremely careful while changing the primary group of any existing user. If you do some research, you will find that several people accidentally locked themselves out of being able to sudo. In order to avoid these unnecessary headaches it is essential that you change primary group of a user in linux, correctly.

Change Primary Group Of Linux User

Record the Current State

Before you change primary group of a Linux user, make a note of the user's current status. Let us consider a user by the username "mackey". You can find this users current group memberships like this:

$ groups
$ mackey,adm,cdrom,sudo,dip,plugdev,sambashare,lpadmin

The user mackey's primary group is "mackey". This is user is also associated with a bunch of other groups: adm,cdrom,sudo,dip,plugdev,sambashare,lpadmin.

Note that adm, cdrom, sudo, dip, plugdev, sambashare, and lpadmin are all default secondary groups assigned to a user in Ubuntu 12.04 Precise Pangolin.

Change Primary Group of User

The command to use is "usermod". Below is the syntax of the command:

usermod - Modify a user account

Syntax:
usermod [-c comment] [-d home_dir [-m]] [-e expire_date] [-f inactive_days] [-g initial_group] [-G group [,...]] [-l login_name] [-p passwd] [-s shell] [-u uid [-o]] [-L|-U] user

Options:
-d home directory
-s starting program (shell)
-p password
-g (primary group assigned to the users)
-G (Other groups the user belongs to)

If you search the internet you may find that you can change the primary group using the following command:

sudo usermod -g NewPrimaryGroup mackey

As expected the above command would change mackey's primary group from "mackey" to "NewPrimaryGroup". However, all of this user's secondary group memberships will be gone, including "admin". This means that the user will henceforth be not able to use the "sudo" command to gain root access. This user will not be able to do any changes to the system (eg. install/remove softwares).

This, however, does not happen in all distributions. For example, in Ubuntu 12.04 Precise Pangolin "sudo usermod -g NewPrimaryGroup user" command assigns the new primary group to the user keeping all existing secondary groups. Yet, I like to change primary group the safe way, which puts control in my hand.

The safe way to change primary group of a Linux user is using this following command:

sudo usermod -g NewPrimaryGroup -G mackey,adm,cdrom,sudo,dip,plugdev,sambashare,lpadmin mackey

This command will first change the user mackey's primary group from "mackey" to "NewPrimaryGroup". Then it will assign the user "mackey" to the following secondary groups "mackey,adm,cdrom,sudo,dip,plugdev,sambashare,lpadmin". This way mackey's primary group will be changed without affecting his other group memberships or losing his membership to his previous primary group "mackey".

Recommended Guides on Linux Commands:

How to Fix In Case of a Screw Up

If you change a user's primary group with just the "-g" option and all of his/her secondary group memberships are gone, then you can fix this by couple of different ways.

Method 1: If you had setup a "root" password previously (not normal in Ubuntu) you can login as "root" and then run the following command:

sudo usermod -g NewPrimaryGroup -G mackey,adm,cdrom,sudo,dip,plugdev,sambashare,lpadmin mackey

After running the above command, logout and login as the user (mackey in this case).

Method 2: If you did not setup a password for the user "root" then you cannot login as a root user. In this case, from grub menu boot into recovery and enter command line with root previleges. Then run the same command listed above:

sudo usermod -g NewPrimaryGroup -G mackey,adm,cdrom,sudo,dip,plugdev,sambashare,lpadmin mackey

Reboot and the user "mackey" should now have all the secondary groups restored. The primary group will be "NewPrimaryGroup".

If you simply want to add an existing user to a secondary group, retaining all his/her primary and secondary group memberships, then use the following command:

usermod -a -G NewSecondaryGroup user

The "-a" option means append to existing memberships.

There you go, now you can change primary group of users safely. Hope this helps.

Be the 1 in 200,000. Help us sustain what we do.
112 / 150 by Dec 31, 2024
Join Us (starting from just $1.67/month)

Anand

Anand is a self-learned computer enthusiast, hopeless tinkerer (if it ain't broke, fix it), a part-time blogger, and a Scientist during the day. He has been blogging since 2010 on Linux, Ubuntu, Home/Media/File Servers, Smart Home Automation, and related HOW-TOs.

Try Deployarr