System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Deleting all secondary groups

SOLVED
Go to solution
Matt Hearn
Regular Advisor

Deleting all secondary groups

I can't believe I'm the only person ever to run across this, but the forums seem to be utterly silent on the issue. How do you remove all the secondary groups from a user without manually editing /etc/group?

Our user administration is handled via security admins for whom we've written scripts to manage the users. They do not have full root access, so editing /etc/group isn't possible. The scripts just do some processing and then run a "useradd" or "usermod" or "groupadd," whatever's needed.

However, when trying to remove all the secondary groups from a user, usermod balks:

server:/root $ usermod -G "" test
Group does not exist
Group list specified with -G is invalid

I've tried it with '' instead of "", and that doesn't work either. Is it not possible to do this using usermod? Seems like that's a pretty big oversight. Am I missing something painfully obvious? I'm good at oversights myself. :)

Thanks!!!
7 REPLIES
Patrick Wallek
Honored Contributor

Re: Deleting all secondary groups

Hmm...This does appear to be a hole in the usermod command. I also tried going through SAM (on an 11.23 server) and removing all secondary groups, but the command errored.

When I looked in /var/sam/log/samlog for the command used, it appears that it runs /usr/sam/lbin/usermod.sam with the -G option to specify the secondary groups that the user STILL NEEDS. As you've seen if you specify a blank list, with the '-G' option then the command errors.

The only thing I can come up with is to create a group called "dummy" or "blank" or something, that you can specify for the users so it will remove all other groups.
Duncan Edmonstone
Honored Contributor
Solution

Re: Deleting all secondary groups

Not a perfect solution, but might work... The clue I think is in the man page for usermod:

-G group Specifies the integer group ID or character
string name of an existing group. This
redefines the supplemental group memberships
of the new login. Duplicates within group
with the -g and -G options are ignored.


Specifically "Duplicates within group with the -g and -G options are ignored."

So you can take advantage of that by specifying just the primary group for the user on the usermod command... for example, I have a user "duncan" primary group "users":

# grep duncan /etc/group
# grep duncan /etc/passwd
duncan:*:105:20::/home/duncan:/sbin/sh
# grep :20: /etc/group
users::20:root

Now I add this user to a couple of secondary groups:

# usermod -G dba,dba2 duncan
# grep duncan /etc/group
dba::200:oracle,duncan
dba2::102:duncan

Now I want to take the user out of those seondary groups:

# usermod -G users duncan
# grep duncan /etc/group
users::20:root,duncan

So user duncan now shows as having a secondary group membership of group "users" although that is actually its primary group - I'm not sure this matters apart from making the group file harder to read...

HTH

Duncan

HTH

Duncan
Duncan Edmonstone
Honored Contributor

Re: Deleting all secondary groups

Also, on 11.31 there are some extensions to the groupmod command which will allow you to accomplish this... using the same example as above, if user duncan is a secondary member of groups dba and dba2 then:

groupmod -d -l duncan dba
groupmod -d -l duncan dba2

would accomplish what you require

This isn't available on 11.11, and I don't have a 11.23 system to look at to see if this option exists, but I suspect not, as it doesn't appear on the 11.23 man pages on hp.com...

HTH

Duncan

HTH

Duncan
Steven E. Protter
Exalted Contributor

Re: Deleting all secondary groups

Shalom Matt,

The usermod -d commands should work.

These security users can be given the ability to run necessary commands without full root access with sudo.

http://software.hp.com has Internet Express which contains a very usable version of sudo.

sudo -l

As those users will let you know what commands they have, then you can add the necessary commands.

My feeling based on your post is the security users lack a necessary command in their sudo command set.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Matt Hearn
Regular Advisor

Re: Deleting all secondary groups

Hey Stephen; we use PowerBroker instead of sudo. The problem with allowing the admins to manually edit /etc/group isn't a technical limitation, but one of policy.

Using the technique of having it set the secondary to the same as the primary works, although it does add the user to the group's entry in /etc/group unnecessarily. It's not a big problem except that we have some groups that contain a lot of users and reach the 255 character /etc/group line limitation.

Thanks all!
Duncan Edmonstone
Honored Contributor

Re: Deleting all secondary groups

Matt,

OK re the line limitation, I'm sure you've seen the note in the usermod man page about this:

While modifying the user login, the username is not added to the
primary group entry in the /etc/group file. If a supplemental group
is specified, the user is added to the supplemental group. If the
size of a group entry in /etc/group file exceeds LINE_MAX limit, a new
entry of the same group is created and a warning message is issued.
See limits(5) for the value of LINE_MAX.


Makes for messy /etc/group files, but it at least works...

HTH

Duncan

HTH

Duncan
JimUrsetto
Visitor

Re: Deleting all secondary groups

Nice tip, groupmod -d does indeed work on 11.31.  As mentioned the groupmod command is present in 11.23 but doesn't allow you to modify group membership.