gpasswd

Define group administrators

$ sudo gpasswd [[-A|--administrators]] [user1,user2] [group]

$ sudo gpasswd [[-M|--members]] [user1,user2] [group]

$ gpasswd [group]

$ gpasswd [[-a|--add]] [user] [group]

$ gpasswd [[-d|--delete]] [user] [group]

gpasswd [OPTIONS] GROUP
gpasswd [-a|-d] USER GROUP
gpasswd [-A|-M] USER,... GROUP
gpasswd [-r|-R] GROUP

-a user group
    Add user to group.

-d user group
    Delete user from group.

-A user,... group
    Set the specified comma-separated list of users as administrators for group. Existing administrators not in the list are removed.

-M user,... group
    Set the specified comma-separated list of users as members of group. Existing members not in the list are removed.

-r group
    Remove the password for group. Users can no longer use newgrp with a password to join this group unless they are already members.

-R group
    Restrict access to group. This prevents users who are not members of the group from using newgrp with the group's password. It also makes it so that even members must supply the password to newgrp into the group.

group
    The name of the group to operate on.

user
    The name of the user to operate on (e.g., adding or deleting from a group).

user,...
    A comma-separated list of usernames (used for setting administrators or members).

The gpasswd command is a utility used to administer the /etc/gshadow file, which stores encrypted group passwords and designated group administrators. It provides a secure way to manage group-related information beyond what basic group management tools like groupmod offer, particularly concerning group passwords and administrator roles.

With gpasswd, system administrators or designated group administrators can perform various tasks including setting or removing a password for a group (allowing users to join the group via newgrp command if they know the password), adding or removing members from a group, and assigning users as administrators for specific groups. These group administrators are then empowered to manage the membership of their assigned groups without needing root privileges. It's a critical tool for robust and decentralized group management on Linux systems.

Most operations with gpasswd require root privileges. However, a user designated as a group administrator for a specific group can use gpasswd to add or remove members from that particular group. Changes made using gpasswd (especially to group memberships) may not take immediate effect for logged-in users; they might need to log out and log back in, or use the newgrp command to update their group memberships.

Users specified with the -A option become group administrators. A group administrator can add or remove users from their managed group using gpasswd without requiring root privileges. This feature enables decentralized management of specific groups, offloading some administrative tasks from the root user.

A group password, set by running gpasswd without any options or by root, allows users who are not explicitly members of the group to temporarily join the group using the newgrp command, provided they know the password. This can be useful for granting temporary or conditional access to resources owned by a group without permanently adding users to the group's membership list.

gpasswd is part of the shadow-utils package, which provides a set of tools for managing user and group accounts and passwords in a secure manner. Its development was driven by the need to separate sensitive password information into a shadow file (/etc/gshadow), similar to how /etc/shadow works for user passwords. This enhances security by preventing unauthorized access to hashed passwords and allows for features like group administrators.

groupadd(8), groupmod(8), groupdel(8), passwd(1), newgrp(1), gshadow(5), group(5)