Managing Groups

Managing Groups in Ubuntu

Groups are the mechanism Linux uses to grant multiple users the same file access permissions without assigning permissions to each user individually. When you add a user to the docker group, they can run Docker commands. When you add them to sudo, they can use sudo. Understanding group management is fundamental to controlling access on any Ubuntu server.

How groups work in Linux

Every user has:
  Primary group  — Set at account creation. GID stored in /etc/passwd.
                   Determines the group owner of new files the user creates.

  Supplementary  — Additional groups. Stored in /etc/group.
  groups           Grant access to resources controlled by those groups.

Example for user irfan:
  uid=1001(irfan) gid=1001(irfan) groups=1001(irfan),27(sudo),998(docker)
                       ↑ primary                    ↑ supplementary groups

Creating and modifying groups

# Create a new group
sudo groupadd webteam

# Create a group with a specific GID
sudo groupadd --gid 2001 webteam

# Rename a group
sudo groupmod --new-name devteam webteam

# Change a group's GID
sudo groupmod --gid 2002 devteam

# Delete a group
sudo groupdel devteam
# Note: you cannot delete a group that is any user's primary group

Adding and removing users from groups

# Add a user to a supplementary group (keep existing memberships)
sudo usermod -aG docker irfan
sudo usermod -aG sudo,docker,libvirt irfan    # Multiple at once

# Alternative: use gpasswd to add a user
sudo gpasswd -a irfan docker

# Remove a user from a group
sudo gpasswd -d irfan docker

# Set the members of a group (replaces all members)
sudo groupmems -g webteam -l               # List current members
sudo gpasswd -M user1,user2,user3 webteam  # Set group members

# Changes take effect at next login
# To apply in the current shell without logging out:
newgrp docker    # Switches primary group to docker for this session
exec su - $USER  # Alternative: re-login in place

Important system groups

⚠️ WARNING: Adding a user to the docker group is equivalent to giving them root access. A user in the docker group can mount /etc or / inside a container and modify system files. Only add trusted administrators to the docker group.

Checking group membership

# Show all groups a user belongs to
groups irfan
id irfan

# Show all members of a specific group
getent group docker
getent group sudo | cut -d: -f4    # Just the member list

# List all groups on the system
getent group | sort

# Check which groups a user is in from /etc/group
grep "irfan" /etc/group

# Show primary group
id -gn irfan   # Group name
id -g irfan    # Group GID

Example id output

uid=1001(irfan) gid=1001(irfan) groups=1001(irfan),4(adm),27(sudo),998(docker),999(lxd)

Conclusion

Groups are the primary tool for granting access to shared resources in Ubuntu. Always use usermod -aG group user (with -a) to add users to groups — omitting -a replaces all existing group memberships. Use gpasswd -d to remove users from groups. Be cautious about which groups you grant — sudo, docker, and lxd all effectively grant root-level access.