Manage Linux user groups

This article covers the basics of managing user groups on a Linux® server.


You need to have the following prerequisites:

  • Basic understanding of Secure Shell (SSH®)
  • Sudo or administrative access to your server
  • A Cloud Server running supported versions of Linux
  • Basic knowledge of file and directory permissions on a Linux server

User groups

User groups in Linux allow a group of users specific access or permissions to directories or files on
the Linux operating system. This access depends on the group permissions for the file or directory.

Note: For more information on directory and file permissions, see
Changing Linux permissions.

The following example shows how group permissions affect a user's access.

drwxr-xr-x. 5 root     root   4096 Jun  9 11:09 .
drwxr-xr-x. 3 root     root   4096 Jun  9 11:03 ..
drwxr-xr-x. 2 root     apache 4096 Jun  9 11:04 files
-rw-rw-r--. 1 root     apache    0 Jun  9 11:09 somefile
drwxr-xr-x. 2 root     apache 4096 Jun  9 11:04 test
drwxr-xr-x. 2 testuser apache 4096 Jun  9 11:04 websitefiles

The permissions for this directory indicate:

  • The testuser user is the owner of the directory websitefiles. The owner has rwx,
    which translates to read, write, and execute on the directory.
  • The user, apache, has r-x, which means that they can read and execute on the directories.
  • The user, apache, has rw-rw-r-- on the file somefile, which means they can read and write
    to the file.

Directory versus file permissions

There are a few differences between directory and file permissions to consider when adding a user to a
group. For a file, read, write, and execute mean precisely that. The user can perform those tasks on a
file. However, in a directory, the permissions have the following meanings:

  • Read: Allows a user to list the contents of a directory.
  • Write: Allows a user to create new files or directories within the directory.
  • Execute: Allows a user to traverse into the directory.

Supplemental groups

When you need a user to share the permissions associated with a group, you should add the user to the
associated group.

Consider the testuser user permissions:

# id testuser
uid=1002(testuser) gid=1002(testuser) groups=1002(testuser)

This output shows that the user has only their default groups and has not been assigned to any supplemental groups.

To give testuser access to the files directory, the user must be part of the apache
user group.

Note: Some users also create a separate group for their web developers that includes the apache user
so that the functionality of Apache® on the directory is not disabled.

Example: Add a user to a group

This example adds testuser to the apache group.

Check the group

First, check the apache group before making changes:

# getent group apache

You can see that no other users are part of the apache group.

Add testuser to group

To add testuser to the group, run the following command from the terminal:

   usermod -aG apache testuser

The flags -aG translates to append and groups. The use of -a ensures that you add the user
to a group rather than replacing their default group.


Now, if you view the groups for apache, you see testuser in the group.

# getent group apache

If you view testuser, you can see the user now has the apache group.

# id testuser
uid=1002(testuser) gid=1002(testuser) groups=1002(testuser),48(apache)

The test user now has access to the group-level permissions for directories and files with a group
ownership of apache.

Syntax to add users to groups

Use the same process to add users to other groups with the following command:

   usermod -aG <group> <user>

You can also add the user to multiple groups at once:

   usermod -aG <group1>,<group2>,etc <user>

As long as the group to which you add the user has the appropriate permissions for the directory they
need to access, this operation gives the user the access they need to manage the files and directories.