Today I Learned: Unix / Linux groups can have passwords

(Welcome to a new section on ZurglToday I Learned. As the name suggests, it’s for sharing Linux-related things I’ve just learned, even though I’ve been using Linux for over 20 years. Some of them may well be pretty basic (just like the following one) and even well-known; still, the “fun” part is that I’ve been able to work as a Linux sysadmin for two decades and administer several personal servers and use it as a desktop from time to time, and still hadn’t had a need for this until now.)

Did you know groups (not users) can have passwords, too? By default they don’t, but the groupadd command has a “-p” option (that requires an already encrypted password, so you’d need to encrypt it first and pipe it there). There’s also a gpasswd command. And, yes, an /etc/gshadow file.

Supposedly, the purpose of group passwords is for users to be able to join a password-protected group with the newgrp command, as long as they enter the group password correctly. If the group doesn’t have a password, then only someone with root access can add a user to it.

(newgrp also allows a user to change their own primary group for the duration of a session, as long as it’s one of their supplementary groups.)

Leave a Reply