How to Use the gpasswd Command on Linux
Linux & macOS Terminal
Key Takeaways
- Use gpasswd to manage group members & passwords, avoiding security risks & controlling group access efficiently.
- The basic syntax is “gpasswd [option] [group]”.
- Execute commands like “sudo gpasswd -a user group” to add users and “sudo gpasswd -d user group” to remove them.
Want an easy solution to managing group members and passwords on Linux? The gpasswd command will help you do that. It’s used for managing and administering the “/etc/group” and “/etc/gshadow” passwords, members, and administrators. Let’s get started.
What Makes the gpasswd Command Useful
The gpasswd command lets you administer groups on Linux. Group passwords don’t get used a lot in part because of the security risk they pose: multiple people sharing a password increases the opportunity for accidental or malicious exposure. Any member of the group can add or remove members, controlling the group access, which could easily get out of hand.
There are a few ways to overcome this problem. You can avoid using group passwords when possible and use alternative mechanisms such as sudoers or access control lists. You can also limit access to the group passwords using privilege control so that only authorized members can do any operations.
gpasswd Command Basic Syntax and Options
The basic syntax of the gpasswd command allows it to take two arguments: an option or flag argument and the name of the group where you’d like to run the operation. Here’s how it looks:
gpasswd [option] group
Here are the options you can use with the command:
- -a, –add user : To add a user to the named group.
- -d, –delete user : To remove a user from the named group.
- -h, –help : Displays the instructions to use the command.
- -R, –restrict : Sets the group password to “!” so that only group members with a password are allowed to use newgrp to join the named group.
- -r, –remove-password : To remove the password from the named group. The group password becomes empty.
- -A, –administrators user : Sets the list of administrative users.
- -M, –members user : Sets the list of group members.
- -Q, –root CHROOT_DIR : Applies changes in the CHROOT_DIR directory and uses the configuration files from the CHROOT_DIR directory.
We’ll see how to use these options in the upcoming sections of the guide.
Setting Password for a Group
The most common use of the gpasswd command is to set a password for specific groups. I’ll first create a group we can test it upon. Feel free to skip this if you already have a group. To create a new group on your Linux system, run:
sudo groupadd demogroup
You can use any other name than “demogroup”. To confirm if the group creation was successful, display all groups using:
cat /etc/group
You can see the new group on the list. Now let’s create a password for the group. To do that, use:
sudo gpasswd demogroup
You’ll be asked to enter your user password first (since you used sudo). Then you’ll be asked to enter a new password for the group. After entering the new password, you need to re-enter it to confirm the password.
Now if I try to log into this group, the system will ask for a password. That’s because I’m not a member of the group. To log into the group, run:
newgrp demogroup
Removing Password from Group
If you want to remove a password from a group, you can do that using the -r flag. Remove the password by passing the group name along with the flag like this:
sudo gpasswd -r demogroup
If you try to log into the group now as a member, you’ll be able to do so without entering the password.
Adding a User to a Group
The gpasswd command lets you add new members to groups. The -a option is for that purpose. The command syntax is as follows:
sudo gpasswd -a user group
So after adding the -a option, you need to pass the member’s username and then the group to which you want to add the user. For example, I want to add a user to the new group I created earlier. Here’s the command for that:
sudo gpasswd -a zunaid demogroup
You can confirm whether the member was added or not. For that, use the below command:
getent group demogroup
As you can see, I’ve successfully added myself to the group using gpasswd. For adding multiple users, you’ll need to issue separate commands for each, like this:
sudo gpasswd -a user1 groupsudo gpasswd -a user2 group
Removing a User From a Group
If you want to delete a user from a specific group, you have the -d option for that. Much like the command for adding, simply provide the username and then the group name to the command, like this:
sudo gpasswd -d user group
So if I want to remove myself from “demogroup”, this is the command I need to run:
sudo gpasswd -d zunaid demogroup
Again, you can confirm if the user was removed successfully by listing the group members with this command:
getent group demogroup
You may need to restart your device or re-login into your session for the changes to take effect. To remove multiple users from a group, use the same repeated command technique as when adding.
sudo gpasswd -d user1 groupsudo gpasswd -d user2 group
Setting the List of Group Members
The gpasswd command allows you to replace the current members of the group with members you want to add. In other words, you can empty the group and then add as many new members as you want with a single command. The -M flag serves that purpose. So for example, currently there are user1 and user2 in a group. You want to remove them and add user3 and user4. To do this, run:
sudo gpasswd -M user2,user3 demogroup
Now if you check the members list of the group, you should see that the previous members are not there. Instead, you’ll find the new members.
getent group demogroup
Promoting a User as the Group Administrator
You can grant someone administrative privileges of a group using the -A flag. Simply pass the name of the member and the group of which you want to make him the administrator. See the command below:
sudo gpasswd -A zunaid demogroup
This gives the user “zunaid” administrative privileges in the group called “demogroup”.
This doesn’t give any output to the terminal. However, you can see the list of administrators of the group to confirm if the operation was successful. Do that with this command:
sudo cat /etc/gshadow
gpasswd Makes Group Management Easy
Now you’ve learned how to use the gpasswd command for controlling group access on Linux. I’ve covered some of its most useful operations. If you want to learn more about the command, check out its manpage or run the gpasswd -h command on your terminal.