/etc/passwd shows user in a group, but /etc/group does not

Question

I want to verify that the user account filesender_1 is a member of the group valid_senders.

When I look at /etc/group, filesender_1 is not there:

valid_senders:x:12345:production_1

I read this as "production_1 is the only member of the group valid_senders, whose group id is 12345."

However:

When I look at /etc/passwd, the group id for valid_senders is listed for filesender_1 ...

filesender_1:x:1515:12345:filesender_1:/local/home/filesender_1:/bin/sh

... so I know valid_senders is the primary group for filesender_1.

Is this a surprising discrepancy, or is it normal for /etc/group to list only members where the group is secondary?

score 15 · Answer 1 · edited Feb 13 '18 at 15:20

Yes, there is a difference between the primary and supplementary groups. The primary group is the main one shown in /etc/passwd, that a user is in upon login. For a user to be in a supplementary group, their user name is added to the group entry in /etc/group. If you use id -a <user>, it will show the primary and the supplementary groups. The supplementary groups give access to resources, but any new files are created with primary group.

You can change a users currently active primary group using the newgrp command.

It is not necessary for a user to have the primary group also be a secondary group. All it will do is reduce the number of secondary groups a user can be part of. Traditionally a user was limited to 32 secondary groups, but that may have changed in recent years.

usermod can set a users primary and supplementary groups in one command. Using a configuration management tool like puppet can also do that without having to worry about what specific command is necessary on different types of unixes.

score 13 · Accepted Answer · answered Jun 17 '14 at 17:12

13

Yes, this discrepancy is normal. I've seen it so many times I stopped looking at the /etc/passwd and /etc/group files and instead started looking at group memberships the way they should be looked at: getent group <groupname> and groups <username>.

answered Jun 17 '14 at 17:12

John

8,920
1
28
34

2

This doesn't show the right result...@isd's answer is better! – 71GA Nov 09 '17 at 13:31
4

This is _not_ a solution to the problem... it in fact demonstrates the discrepancy. getent group does not list users whose _primary_ group is groupname, only those who've been added to groupname as a supplementary group. – DJ Far Jan 19 '18 at 14:52
As other's have noted, your answer does not solve the issue as (at least for CentOS 8.2) the 'getent group ' command does not show the user as a member. – Alex andru Dec 14 '20 at 09:10

score 2 · Answer 3 · answered Jan 19 '18 at 15:13

There exists a program called members you can install on most linux distros that lists the actual members of a group whether it is their primary group or a supplementary group.

Typically, when a user is created without specifying a group with -g or --gid, the default behavior is to set their primary group as their username, and this gid is not placed in the /etc/group file. Hence files and directories created by the user joe will have ownership joe:joe. But you will not find group 'joe' in the /etc/group file.

If you add the user joe to group 'students', then running

getent group students

will show joe in the list of users in group students.

Running the program

members <groupname>

on a group will show users who are members, either primary or supplementary, of groupname.

score 0 · Answer 4 · answered May 15 '19 at 20:40

0

Generally speaking, system administrators should add the user to their primary group's member list in /etc/group because the getpwent() family of system calls will remove duplicates when called. Programs aren't supposed to read /etc/group or /etc/passwd directly, they are supposed to use the system calls. All this has been true for at least 20 years now, and probably much longer.

answered May 15 '19 at 20:40

Medievalist

101

The two halves of your answer contradict each other. – womble May 15 '19 at 23:02
Don't know how to say it better, nor what you mean by halves, but I'll try an example. My primary group is sysman, gid 1200. So in my /etc/password entry, the gid field contains 1200, and my userid also appears in the list of userids for group sysman in /etc/group. When any program uses the standard means of asking for my group memberships, everything works. But remember programs should never read / etc/passed or /etc/group, that dodges the name service switch and is very bad practice. Use the system calls. – Medievalist May 19 '19 at 02:37

score -3 · Answer 5 · answered Feb 13 '18 at 12:20

-3

You should use lid -g <group>'

answered Feb 13 '18 at 12:20

Jarod

1

4

This needs a better explanation. – Sven Feb 13 '18 at 12:56

/etc/passwd shows user in a group, but /etc/group does not

5 Answers5