How Do You Remove a User From a Group in Linux?

Why groups are important in Linux and how can you add a user to a group or remove a user from a group?

Linux is a multi-user system, it allows to give access to its resources (e.g. files and directories…) to multiple users.

Different users can have a different level of access to resources, at the same time there could be multiple users that require the same level of access.

An example?

You are part of a team of systems administrators and everyone in your team needs the same level of access to Linux systems in your company.

Here are some common scenarios related to groups in Linux:

• Create a new group (e.g. if there is a new team in your company).
• Update the permissions assigned to a group.
• Add a new user to a group.
• Remove a user from a group
• Delete a group

In this tutorial we will look at how to add and remove a user from a group in Linux.

There are different reasons why we might need this…

…the user might not be anymore in your company, might have changed role and moved to a different team, might have been added to the group by mistake.

No matter the reason, knowing how to remove a user from a group is important to know if you work with Linux systems.

Some Basics About Groups in Linux

I’m running this tutorial on a server in AWS (Amazon Web Services) on which the default user is ec2-user.

First of all, let’s use the id command to see some details about user and group IDs mapped to the ec2-user.

Wait…IDs? Which IDs?

In Linux a user or a group have a unique ID used by the operating system to identify the user or the group.

The name of the user or the group is just a label that helps us human being remember them.

Here is the output of the id command for the ec2-user:

[ec2-user@ip-1-2-3-4]$ id ec2-user
uid=1000(ec2-user) gid=1000(ec2-user) groups=1000(ec2 user),4(adm),10(wheel)

We will look at the part in bold:

The UID (User Identifier) is a number assigned to each user on the system by Linux.

You can also see the UID assigned to a user, in this case 1000, from the file /etc/passwd using the grep command:

[ec2-user@ip-1-2-3-4]$ grep ec2-user /etc/passwd
ec2-user:x:1000:1000:EC2 Default User:/home/ec2-user:/bin/bash 

I have highlighted in bold the UID for the ec2-user.

What about the next number 1000 on the same line?

It’s the GID (Group Identifier) assigned to the primary group of the ec2-user.

It’s the first time we talk about primary groups, before we have just talked about groups.

Basically, when a user is created a primary group with the same name as the user is created and mapped to the user by default.

In this case the GID of the primary group for the ec2-user is also 1000.

How do we find the name of the group mapped to the GID 1000?

Through the file /etc/groups, using grep again. This time instead of searching for the username we will search for the GID:

[ec2-user@ip-1-2-3-4]$ grep 1000 /etc/group
ec2-user:x:1000:

This shows that the name of the group with GID 1000 is ec2-user.

This matches what I have explained before…when a user is created a group with the same name is also created and it’s mapped to the user as its primary group.

Secondary Groups

If we look again at the output of the id command we have executed before:

[ec2-user@ip-1-2-3-4]$ id ec2-user
uid=1000(ec2-user) gid=1000(ec2-user) groups=1000(ec2-user),4(adm),10(wheel)

We can also see the groups attribute for the ec2-user. This is used to show all the groups including the secondary groups the user belongs to.

In this case the secondary groups are adm and wheel.

The initial question we wanted to answer here is how to remove a user from a group, this should really be phrased as “how to remove a user from a secondary group”.

To see how to do that, we first want to add the ec2-user to another secondary group…

Add User to a Secondary Group

To add a user to a secondary group we will use the usermod command.

First, we will create a new group called tutorial and then we will add the ec2-user to it.

The command used to create a group in Linux is groupadd, and it has to be executed as root:

[root@ip-1-2-3-4 ~]$ groupadd tutorial
[root@ip-1-2-3-4 ~]$ grep tutorial /etc/group
tutorial:x:1002:

We have now the group tutorial and the GID 1002 has been automatically assigned to it by Linux.

What if we want to decide the GID to assign to the group? We can pass the -g flag via the command line.

Delete the tutorial group using the groupdel command and then recreate it, this time passing the -g flag:

[root@ip-1-2-3-4 ~]$ groupdel tutorial
[root@ip-1-2-3-4 ~]$ groupadd -g 2000 tutorial
[root@ip-1-2-3-4 ~]$ grep tutorial /etc/group
tutorial:x:2000:

Everything worked as expected!

Now, that we have our new secondary group, we want to add the ec2-user to it using the usermod command.

To do that we have to use the -G flag and pass as argument the list of secondary groups, including the secondary groups the ec2-user already belongs to.

Note: the -G flag requires the full list of secondary groups.

The advantage of this syntax is that the same command can be used to add / remove a user to / from a secondary group:

[root@ip-1-2-3-4 ~]$ usermod -G adm,wheel,tutorial ec2-user
[root@ip-1-2-3-4 ~]$ id ec2-user
uid=1000(ec2-user) gid=1000(ec2-user) groups=1000(ec2-user),4(adm),10(wheel),2000(tutorial)

As you can see, now the ec2-user also belongs to the group tutorial as well.

Remove User From Group in Linux

Finally, with the following command we will remove the user from the secondary group tutorial:

[root@ip-1-2-3-4 ~]$ usermod -G adm,wheel ec2-user
[root@ip-1-2-3-4 ~]$ id ec2-user
uid=1000(ec2-user) gid=1000(ec2-user) groups=1000(ec2-user),4(adm),10(wheel)

It worked!

So, as expected the ec2-user doesn’t belong anymore to the tutorial group.

Conclusion

You now have the knowledge to:

• Find the UID for a user and the GID for a group in a Linux system.
• Identify primary and secondary groups for a user.
• Add and delete a group.
• Add and remove a user to / from a secondary group.

How will you use this knowledge?

See you soon! 🙂