What Does /etc/group Mean?
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
Quick Definition
The /etc/group file is a plain text file that lists all groups on a Linux or Unix system. Each line represents one group and shows its name, a password field (usually just an 'x'), a numeric group ID (GID), and a list of users who are members of that group. This file is essential for managing permissions and access control in multi-user environments.
Commonly Confused With
The /etc/passwd file stores user account information including username, UID, primary GID, home directory, and shell. Unlike /etc/group, it focuses on users, not groups. The primary group for each user is listed in /etc/passwd, but supplementary group memberships are in /etc/group.
To find which groups a user belongs to, you need both files: /etc/passwd for primary group, and /etc/group for supplementary groups.
The /etc/gshadow file stores group passwords and group administrator information in a more secure, restricted-access format. While /etc/group is world-readable, /etc/gshadow is readable only by root. The 'x' in the password field of /etc/group directs the system to /etc/gshadow for the actual encrypted password.
If you run 'gpasswd projectx', the password hash is stored in /etc/gshadow, not in /etc/group.
The /etc/shadow file stores encrypted user passwords and password aging information. It is the counterpart to /etc/passwd for secure password storage. It is not directly related to group management, but like /etc/gshadow, it improves security by restricting read access to root.
User passwords are in /etc/shadow; group passwords are in /etc/gshadow. Both complement the public /etc/passwd and /etc/group files.
The /etc/login.defs file defines system-wide defaults for user and group creation, such as minimum and maximum UID/GID ranges, password aging defaults, and whether to create a group for each user. It influences how /etc/group entries are created but is not a list of groups itself.
If /etc/login.defs specifies GID_MIN 1000, new user groups created with useradd will have GIDs >= 1000.
Must Know for Exams
The /etc/group file is a recurring topic in major Linux and security certification exams, including the Linux Professional Institute (LPI) LPIC-1 (exam 101-500), CompTIA Linux+ (XK0-005), Red Hat Certified System Administrator (RHCSA), and Oracle Solaris Administration exams. It appears less frequently but still relevantly in CompTIA Security+ (SY0-601) when discussing file system permissions and access control models.
For LPIC-1 (101-500), objectives 104.1 (Create and manage filesystem permissions) and 104.2 (Manage user and group accounts) directly cover /etc/group. You must know the file format, the meaning of each field, and how to safely edit the file using vigr. Expect questions asking you to identify the correct order of fields, what the 'x' in the password field means, and what GID range is reserved for system groups.
In CompTIA Linux+ (XK0-005), exam objective 2.1 (Given a scenario, manage user and group accounts) requires you to understand /etc/group as part of group management. You may be asked to interpret the output of cat /etc/group and determine group membership. Troubleshooting scenarios might involve a user unable to access a file because they are not in the correct supplementary group, requiring you to add the user to the group via usermod -a -G.
For RHCSA, the exam expects you to create and manage groups using the groupadd, usermod, and gpasswd commands. You need to understand that the /etc/group file is the underlying data store. A typical exam task might be: 'Create a group called developers with GID 3000, add the user john as a secondary member, and ensure all members of the group can write to a shared directory.' This tests not only command knowledge but also understanding of how group membership (from /etc/group) interacts with directory permissions.
Question types include multiple-choice identifying group file components, fill-in-the-blank about the password field, and performance-based tasks that require you to edit /etc/group (or use commands) to fix a permissions issue. Knowing that the user list in /etc/group is comma-separated with no spaces is a detail that can save you on a tricky question.
Simple Meaning
Think of /etc/group as the master membership roster for a large organization. In any company, there are different teams: the sales team, the engineering team, the HR team, and so forth. Each team has a name, an ID number, and a list of employees who belong to it. When someone new joins the sales team, their name gets added to that team's list, giving them access to shared resources like the team's folder on the server, meeting rooms, or specific software licenses.
In the Linux world, /etc/group works exactly like that. Every group on the system gets an entry in this file. The entry includes the group's name (like 'developers' or 'admin'), a placeholder for a group password (which is almost never used in modern systems), a numeric group ID (GID) that the system uses internally to identify the group, and a comma-separated list of usernames who are members. When a user creates a file, the system assigns that file to the user's primary group by default. That group's permissions determine what other group members can do with the file-read it, write to it, or execute it.
What makes /etc/group particularly important is that it's one of the core files the operating system checks whenever a user tries to access a file or run a command that requires group privileges. Without this file, the system would have no way of knowing which users belong to which groups, and file permissions would become meaningless. It's a simple text file, but it underpins the entire permissions model on Unix-like systems.
Full Technical Definition
The /etc/group file is a local system database that defines group accounts on Unix and Linux operating systems. It is a plain ASCII text file, typically owned by root and readable by all users (permissions 644 by default). Each line in the file represents one group entry, structured into four colon-separated fields: group name, password, group ID (GID), and user list.
The formal format is: group_name:password:GID:user_list
Group name is a string of up to 32 characters, composed of letters, digits, underscores, and hyphens, and must be unique on the system. The password field historically stored an encrypted group password, but for security reasons, modern systems place an 'x' here, with the actual password stored in /etc/gshadow (if group passwords are used). In most contemporary deployments, group passwords are rarely implemented; the field is simply a placeholder.
The GID is an integer between 0 and 65535 (or higher on 64-bit systems). GIDs 0–99 are typically reserved for system groups, 100–999 for system groups on some distributions, and 1000+ for regular user groups. The system uses the GID as the internal identifier for group ownership and permissions.
The user list is a comma-separated list of usernames who are members of the group. This is a secondary membership list; users are also members of their primary group as defined in /etc/passwd. The /etc/group file only needs to list supplementary group memberships.
From a system perspective, when a user logs in and runs a command, the login process reads /etc/passwd to get the user's UID and primary GID. It also reads /etc/group to collect all supplementary groups the user belongs to. These group IDs are then attached to the user's process credentials. Whenever the user attempts to access a file or directory, the kernel checks the file's group ownership against the list of groups the user belongs to, applying group-class permissions accordingly.
Administrators typically manage /etc/group using commands like groupadd, groupmod, groupdel, usermod, and gpasswd. Direct editing with a text editor is possible but discouraged because it bypasses consistency checks and locking mechanisms. However, tools like vigr (a wrapper around vipw) are designed for safe editing of group files.
The Network Information Service (NIS) and Lightweight Directory Access Protocol (LDAP) can override local group files in enterprise environments, but /etc/group remains the local fallback. System administrators must ensure this file is consistent with /etc/passwd and that no duplicate GIDs exist, as duplicates can cause unpredictable permission behavior.
Real-Life Example
Imagine you live in a large apartment building with shared facilities: a gym, a rooftop garden, a laundry room, and a parking garage. The building manager keeps a master list called the 'Access Registry' that controls who can enter which areas. Each facility is like a group. The gym group might include residents who paid the gym fee; its entry in the registry says 'gym members: Alice, Bob, Carlos, Diana'. The parking group lists only those who rented a spot. The rooftop garden group might be open to all residents, so its list contains everyone.
Now, when Alice wants to enter the gym, the security guard at the entrance checks the Access Registry. He finds the 'gym' entry and sees Alice's name in the user list. Access granted. But if Frank, who never paid the gym fee, tries to get in, the guard checks the same entry, doesn't find Frank's name, and denies access. The guard does not need to know anything about Frank's personal preferences; the list is the authority.
In Linux, /etc/group is that Access Registry. Each group (like the gym) has its own line in the file with its member list. When you try to access a file that belongs to the 'gym' group, the system checks if your username appears in that group's line in /etc/group. If yes, you get the group permissions for that file; if no, you don't. The whole process is automatic and happens every time you access a file or directory.
This system works because the operating system can read the file quickly, line by line, without needing any complex database software. It's fast, transparent, and easy to edit directly if you have root access-just like the building manager can scribble a name on the Access Registry with a pen. But also like that registry, a careless edit could lock someone out or give unintended access, so most administrators use dedicated commands like groupadd instead of editing by hand.
Why This Term Matters
Understanding /etc/group is fundamental for any IT professional working with Linux systems because group management directly impacts security, access control, and system administration. In multi-user environments-whether a university computer lab, a corporate server, or a cloud instance-groups are the primary mechanism for sharing resources without compromising security. Instead of granting permissions to users individually, which becomes unmanageable with hundreds or thousands of users, administrators add users to groups and set permissions on files and directories at the group level. This is the principle of role-based access control (RBAC) in its simplest form.
From a security perspective, misconfigured /etc/group entries can lead to privilege escalation or unintended data exposure. An extra username in a sensitive group (like 'docker' or 'sudo') can give a user root-equivalent privileges. Conversely, omitting a user from a group they need can block productivity and generate support tickets. Automated configuration management tools like Ansible, Puppet, or Chef often manage /etc/group entries to ensure consistent group membership across hundreds of servers.
In the context of IT certifications, expect questions that test your knowledge of the file format, the relationship between /etc/group and /etc/passwd, and the commands used to modify group membership. You should know that user primary groups are set in /etc/passwd, while supplementary groups are managed through /etc/group. You should also be aware that group passwords, though rarely used, are stored in /etc/gshadow for security.
/etc/group is often examined alongside file permission questions. Understanding that a file's group ownership (shown by ls -l) must match one of the user's groups for group permissions to apply is a common point of confusion. A solid grasp of /etc/group helps clarify such scenarios.
How It Appears in Exam Questions
Questions about /etc/group on certification exams typically fall into several patterns: format identification, troubleshooting permission problems, editing the file safely, and understanding the relationship with /etc/passwd and /etc/gshadow.
A common format question shows a line from /etc/group and asks you to identify the fields. For example: 'Given the entry developers:x:1001:alice,bob, what is the purpose of the 'x'?' The answer is that it is a placeholder for the group password, with the actual encrypted password (if any) stored in /etc/gshadow. Another variant asks: 'What is the GID of the group described in this line?' The correct answer is 1001.
Troubleshooting scenarios are very common. For instance: 'User carol cannot write to the /project/data directory, which has group ownership 'project-team' and permissions 775. When you run groups carol, you see only her primary group 'staff'. What is the most likely cause?' The answer is that carol is not a member of the 'project-team' supplementary group in /etc/group. The fix is to add her using usermod -a -G project-team carol.
Another scenario: 'After adding user dave to the 'webdev' group by editing /etc/group directly, dave still cannot access files owned by the webdev group. What went wrong?' The correct answer is that user dave may have been already logged in at the time, and group membership changes require the user to log out and log back in (or use the newgrp command) for the new group to take effect in their session.
Configuration questions might ask: 'Which command safely edits the /etc/group file?' The answer is vigr (or vipw -g). Some exams also ask about the NIS (Network Information Service) influence: 'If the system is configured to use NIS for group information, what is the content of the password field in /etc/group?' The answer is '+' indicating that NIS should be used.
Performance-based tasks on the RHCSA might present you with a partially configured system and ask you to diagnose why a user cannot access a group-owned directory. You would check /etc/group, verify the user's membership, and then check the file's permissions and ownership using ls -l. Such integrated tasks test your practical understanding of how /etc/group is part of the broader permissions model.
Study CompTIA Linux+
Test your understanding with exam-style practice questions.
Example Scenario
You are a system administrator for a small company with five employees. The company has a shared project directory called /projects/website. The marketing team, which includes Jane and Mike, needs read and write access to this directory. The development team, which includes Tom and Susan, only needs read access. You decide to create two groups: 'marketing' and 'dev'.
First, you create the groups using the commands: sudo groupadd marketing and sudo groupadd dev. The system writes these entries to /etc/group. Looking at the file with cat /etc/group, you see two new lines at the bottom: marketing:x:1003: and dev:x:1004:. The user lists are empty so far because you haven't added anyone yet.
Next, you add Jane and Mike to the marketing group: sudo usermod -a -G marketing jane and similarly for mike. The -a flag appends marketing to their existing groups. Now when you cat /etc/group, the marketing line reads: marketing:x:1003:jane,mike. You add Tom and Susan to the dev group: sudo usermod -a -G dev tom and sudo usermod -a -G dev susan. The dev line becomes dev:x:1004:tom,susan.
Now you set the permissions on the /projects/website directory. You change its group ownership to marketing: sudo chown root:marketing /projects/website. Then set permissions 770: sudo chmod 770 /projects/website. This means owner (root) has full access, group marketing (Jane and Mike) have read, write, and execute, and others have no access. But Tom and Susan in the dev group can't even read it. You decide to give dev group read-only access by adding them as a secondary group with ACLs or by changing permissions. You modify permissions to 750: sudo chmod 750 /projects/website. Now marketing has full access, dev has read and execute, others have none. Tom can now list the directory and read files but cannot create or edit them.
If Jane later tries to create a new file in the directory, the file's group will default to Jane's primary group (usually her own user group) unless the directory has the setgid bit set. You can set the setgid bit: sudo chmod g+s /projects/website. This causes all new files created in that directory to inherit the directory's group (marketing), so Jane's new file will be group-owned by marketing, allowing Mike to edit it too. This scenario demonstrates how /etc/group entries control access through group membership.
Common Mistakes
Assuming the password field in /etc/group always has a real password.
In modern Linux systems, the 'x' in the password field indicates that the real password is stored in /etc/gshadow (if group passwords are used). It is extremely rare to actually set a group password; the field is almost always just a placeholder.
Remember that 'x' is a placeholder. If you need to set a group password, use the gpasswd command, which stores the encrypted password in /etc/gshadow, not in /etc/group.
Editing /etc/group with a regular text editor instead of using vigr or groupmod.
Direct editing can corrupt the file if there are concurrent edits, or if you accidentally break the format (e.g., adding a space after a comma). This can lead to group membership failures or system instability.
Always use vigr (or vigr -g) to safely edit /etc/group. This tool locks the file, validates syntax, and prevents races. Alternatively, use groupmod and usermod commands for targeted changes.
Thinking that changing /etc/group takes effect immediately for logged-in users without re-login or newgrp.
Group membership is determined at login time. A user already logged in will not see new group memberships until they log out and back in, or use the newgrp command to start a new shell with the updated groups.
After adding a user to a group, instruct them to log out and log back in. If immediate effect is needed, they can run 'exec newgrp <groupname>' or use 'su - username' to start a fresh login shell.
Confusing primary group in /etc/passwd with supplementary groups in /etc/group.
The /etc/passwd file defines the user's primary group (GID). The /etc/group file lists supplementary group memberships. A user is always a member of their primary group, regardless of what is in /etc/group. The /etc/group file adds additional groups on top of that.
Remember that a user's primary group comes from /etc/passwd, not /etc/group. The /etc/group file only manages secondary group associations. You can verify all groups a user belongs to with the 'groups' command or 'id' command.
Adding users to /etc/group list with spaces after commas, causing the username to not match.
The user list in /etc/group is comma-separated with no spaces. If you write 'alice, bob, charlie', the system will try to match the username ' bob' (with leading space), which does not exist, so Bob will not be considered a member.
Follow the exact format: no spaces after commas. Use usermod -a -G to let the system add the user correctly without manual formatting errors.
Exam Trap — Don't Get Fooled
{"trap":"An exam question shows /etc/group entry 'staff:x:100:alice,bob' and asks 'Which users are members of the staff group?' Many test-takers answer 'alice and bob' but forget that the primary group of users is also defined in /etc/passwd.","why_learners_choose_it":"Learners focus only on the user list field in /etc/group and forget that the primary group of a user (set in /etc/passwd) automatically makes them a member.
The /etc/group file only lists supplementary members, not all members.","how_to_avoid_it":"Read the question carefully. Usually, the question asks for 'supplementary members' or 'additional members' of the group.
If the question simply says 'members', you should consider the primary group membership as well. The /etc/group user list is only for users who have the group as a secondary group."
Step-by-Step Breakdown
System reads /etc/passwd for user's primary group
When a user logs in or a process starts, the system reads the user's entry from /etc/passwd. The fourth field of that entry is the primary GID. This GID defines the user's main group, and the user is automatically a member of that group. This happens even if the group is not listed in /etc/group.
System reads /etc/group for supplementary groups
Next, the system scans /etc/group looking for any line where the user's username appears in the comma-separated user list (the fourth field). For each match, that group's GID is added to the user's supplementary group list. This process collects all groups the user belongs to beyond their primary group.
Group information is attached to process credentials
The kernel attaches the user's UID and all group IDs (primary plus supplementary) to every process owned by the user. This is stored in the process's credential structure. Each time a file operation is performed, the kernel can quickly check these credentials against the file's owner and group.
File access decision based on group membership
When a user tries to read, write, or execute a file, the kernel checks the file's group ownership. If the file's GID matches any of the groups in the user's credential structure, the group permission bits (rwx for group) are applied. If not, the 'others' permission bits are used.
Group ownership assignment for new files
When a user creates a new file, the file's group is set to the user's primary GID by default. However, if the parent directory has the setgid bit set (chmod g+s), the file's group is inherited from the directory's group, which can be different from the user's primary group. This is important for shared workspaces.
Practical Mini-Lesson
In practice, managing /etc/group is a routine task for Linux administrators. The most common operation is adding a user to a supplementary group using the usermod command. For example, 'sudo usermod -a -G docker alice' adds user alice to the docker group. The -a (append) flag is critical-without it, -G alone would replace all existing supplementary groups with only 'docker', locking alice out of other groups.
After running usermod, the change is written to /etc/group immediately. However, the user alice will not see the new group in her current session. If alice is already logged in, she must log out and log back in, or run 'newgrp docker' to start a shell with the docker group. The 'newgrp' command changes the real GID of the current session, which is useful but can be confusing if not understood.
Professional administrators often use monitoring and audit tools to track changes to /etc/group. For example, the 'pwck' command validates the integrity of password and group files, checking for duplicate GIDs, missing user references, and format errors. Running 'sudo pwck -r /etc/group' will report issues without making changes. The 'grpck' command does the same specifically for group files.
Common problems include a user unable to access a shared directory. The troubleshooting flow is: first, verify user's group membership with the 'groups' or 'id' command. Then check the directory's group ownership with 'ls -ld'. If the user is not in the directory's group, you need to add them. If they are in the group but still denied, check the directory's permissions-maybe the group lacks execute (x) permission on a parent directory, which prevents access to the subdirectory.
Another scenario: after restoring from backup, /etc/group might be inconsistent. For instance, a user might be listed in /etc/group but the user account itself no longer exists in /etc/passwd. This does not break the system, but it leaves stale entries. Running 'grpck' will flag such orphans for cleanup.
For exam purposes, memorize the file format exactly: groupname:password:GID:userlist. No spaces after commas. GID 0 is reserved for root. System groups (like bin, daemon, sys) have GIDs under 100. User-created groups start at 1000 (or 500 on older systems). The password field is always 'x' on modern systems unless group passwords are enabled.
Finally, understand the relationship with the 'groups' command. Running 'groups username' shows all groups the user belongs to, combining the primary group from /etc/passwd and supplementary groups from /etc/group. This is the quickest way to check a user's effective group membership without reading raw files.
Memory Tip
Think of 'four fields, no spaces'-the /etc/group file has four colon-separated fields, and the user list must have commas without spaces.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
XK0-006CompTIA Linux+ →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
SY0-601SY0-701(current version)XK0-005XK0-006(current version)Related Glossary Terms
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
Frequently Asked Questions
What happens if I accidentally delete /etc/group?
If /etc/group is missing, the system will still boot, but no group information will be available. All users will appear to have no supplementary groups. Many system services may fail because they depend on group membership. You can recover by creating a minimal /etc/group with root group (root:x:0:) and other essential groups.
Can I edit /etc/group with nano or vim?
Technically yes, but it is not recommended because direct editing bypasses locking and validation. Use 'vigr' (or 'vigr -g') which locks the file and checks syntax before saving. If you must use a regular editor, make a backup first and verify with 'grpck' afterward.
What is the difference between primary group and supplementary group?
A primary group is the group assigned to a user in /etc/passwd. Files created by the user default to this group. Supplementary groups are additional groups the user belongs to as listed in /etc/group. These provide extra permissions but do not affect file creation defaults unless the setgid bit is used.
How do I check all groups a user belongs to?
Use the command 'groups username' or 'id username'. The output shows the primary group first, then all supplementary groups. Alternatively, you can grep /etc/group for the username: 'grep username /etc/group'.
What does the 'x' in the password field mean?
The 'x' indicates that the group password, if any, is stored in the /etc/gshadow file, not in /etc/group. The /etc/group file is world-readable, so storing passwords there would be insecure. The 'x' is a placeholder that directs the system to look elsewhere for the password.
Can a group have no members?
Yes, a group entry can have an empty user list (the fourth field is blank after the last colon). This is common for newly created groups or groups used only for file ownership, not user membership.
Summary
The /etc/group file is a foundational component of Linux and Unix group management, defining supplementary group membership through a simple colon-delimited format. Each line contains the group name, a password placeholder ('x'), a numeric group ID (GID), and a comma-separated list of supplementary members. This file, combined with /etc/passwd (which stores the user's primary GID), determines the complete set of groups a user belongs to and thus controls access to files and resources based on group permissions.
For IT certification candidates, a solid understanding of /etc/group is essential for exams such as LPIC-1, CompTIA Linux+, RHCSA, and Security+. Expect questions on the file format, the meaning of each field, the use of vigr for safe editing, and troubleshooting scenarios where a user cannot access a file due to missing group membership. Memorize the exact syntax (no spaces after commas) and the fact that 'x' is not an actual password but a pointer to /etc/gshadow.
The biggest exam trap is forgetting that the user list in /etc/group only shows supplementary members, not the primary group membership which is stored in /etc/passwd. Always consider both files when asked about a user's full group membership. Practice with commands like usermod -a -G, groups, and id to reinforce this knowledge.
In real-world administration, /etc/group is the backbone of role-based access in multi-user environments. Whether you are granting access to a shared development directory or managing sudo privileges, accurate group membership in this file is critical. By mastering /etc/group, you gain confidence in both exam questions and daily sysadmin tasks.