- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Deleting all secondary groups
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-31-2011 10:12 AM
тАО05-31-2011 10:12 AM
Our user administration is handled via security admins for whom we've written scripts to manage the users. They do not have full root access, so editing /etc/group isn't possible. The scripts just do some processing and then run a "useradd" or "usermod" or "groupadd," whatever's needed.
However, when trying to remove all the secondary groups from a user, usermod balks:
server:/root $ usermod -G "" test
Group does not exist
Group list specified with -G is invalid
I've tried it with '' instead of "", and that doesn't work either. Is it not possible to do this using usermod? Seems like that's a pretty big oversight. Am I missing something painfully obvious? I'm good at oversights myself. :)
Thanks!!!
Solved! Go to Solution.
- Tags:
- groups
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-31-2011 11:27 AM
тАО05-31-2011 11:27 AM
Re: Deleting all secondary groups
When I looked in /var/sam/log/samlog for the command used, it appears that it runs /usr/sam/lbin/usermod.sam with the -G option to specify the secondary groups that the user STILL NEEDS. As you've seen if you specify a blank list, with the '-G' option then the command errors.
The only thing I can come up with is to create a group called "dummy" or "blank" or something, that you can specify for the users so it will remove all other groups.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-01-2011 02:02 AM
тАО06-01-2011 02:02 AM
Solution-G group Specifies the integer group ID or character
string name of an existing group. This
redefines the supplemental group memberships
of the new login. Duplicates within group
with the -g and -G options are ignored.
Specifically "Duplicates within group with the -g and -G options are ignored."
So you can take advantage of that by specifying just the primary group for the user on the usermod command... for example, I have a user "duncan" primary group "users":
# grep duncan /etc/group
# grep duncan /etc/passwd
duncan:*:105:20::/home/duncan:/sbin/sh
# grep :20: /etc/group
users::20:root
Now I add this user to a couple of secondary groups:
# usermod -G dba,dba2 duncan
# grep duncan /etc/group
dba::200:oracle,duncan
dba2::102:duncan
Now I want to take the user out of those seondary groups:
# usermod -G users duncan
# grep duncan /etc/group
users::20:root,duncan
So user duncan now shows as having a secondary group membership of group "users" although that is actually its primary group - I'm not sure this matters apart from making the group file harder to read...
HTH
Duncan
I am an HPE Employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-01-2011 04:47 AM
тАО06-01-2011 04:47 AM
Re: Deleting all secondary groups
groupmod -d -l duncan dba
groupmod -d -l duncan dba2
would accomplish what you require
This isn't available on 11.11, and I don't have a 11.23 system to look at to see if this option exists, but I suspect not, as it doesn't appear on the 11.23 man pages on hp.com...
HTH
Duncan
I am an HPE Employee
- Tags:
- groupmod
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-01-2011 06:00 AM
тАО06-01-2011 06:00 AM
Re: Deleting all secondary groups
The usermod -d commands should work.
These security users can be given the ability to run necessary commands without full root access with sudo.
http://software.hp.com has Internet Express which contains a very usable version of sudo.
sudo -l
As those users will let you know what commands they have, then you can add the necessary commands.
My feeling based on your post is the security users lack a necessary command in their sudo command set.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-01-2011 07:51 AM
тАО06-01-2011 07:51 AM
Re: Deleting all secondary groups
Using the technique of having it set the secondary to the same as the primary works, although it does add the user to the group's entry in /etc/group unnecessarily. It's not a big problem except that we have some groups that contain a lot of users and reach the 255 character /etc/group line limitation.
Thanks all!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-01-2011 08:30 AM
тАО06-01-2011 08:30 AM
Re: Deleting all secondary groups
OK re the line limitation, I'm sure you've seen the note in the usermod man page about this:
While modifying the user login, the username is not added to the
primary group entry in the /etc/group file. If a supplemental group
is specified, the user is added to the supplemental group. If the
size of a group entry in /etc/group file exceeds LINE_MAX limit, a new
entry of the same group is created and a warning message is issued.
See limits(5) for the value of LINE_MAX.
Makes for messy /etc/group files, but it at least works...
HTH
Duncan
I am an HPE Employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-28-2013 07:41 AM
тАО08-28-2013 07:41 AM
Re: Deleting all secondary groups
Nice tip, groupmod -d does indeed work on 11.31. As mentioned the groupmod command is present in 11.23 but doesn't allow you to modify group membership.