Overview
The groupmod command is used to modify the definitions of existing groups, such as their names or Group IDs (GID). This tool is essential when you need to rename a group to match an organizational change or when you need to reassign GIDs during a system migration or security policy update. Changing a GID requires careful handling, as it significantly impacts file access permissions across the system.
Specifications (Arguments and Options)
Syntax
BASH
groupmod [options] [group_name]
Main Options
| Option | Description |
| -n [new_name] | Renames the group. |
| -g [GID] | Changes the numeric Group ID (GID). |
| -o, –non-unique | Used with -g to allow the assignment of a duplicate (non-unique) GID. |
Basic Usage
In this example, we rename an existing group from “mori_dev” to “mori_prod”. The Group ID (GID) remains unchanged; only the name is updated.
BASH
# Verify the group before the change
grep mori_dev /etc/group
# Rename 'mori_dev' to 'mori_prod'
sudo groupmod -n mori_prod mori_dev
# Verify the change (mori_dev is gone, replaced by mori_prod)
grep mori_prod /etc/group
Example Output
# Before change
mori_dev:x:1005:mori
# After change
mori_prod:x:1005:mori
Practical Commands
Changing the Group ID (GID)
This scenario involves changing only the numeric GID, which is the system’s internal identifier, while keeping the group name the same. Here, we change the GID of the “mori_prod” group to 2026.
BASH
# Change the GID to 2026
sudo groupmod -g 2026 mori_prod
# Verify the change
grep mori_prod /etc/group
Example Output
mori_prod:x:2026:mori
Customization
Allowing Duplicate GIDs (-o): Normally, the system prevents you from assigning a GID that is already in use. However, for specific use cases like sharing privileges between groups, you can use the -o option to force the assignment of a duplicate ID.
BASH
# Assign the existing GID 1000 to the mori_sub group as well
sudo groupmod -g 1000 -o mori_sub
Important Notes
File Ownership Issues (Critical)
When you use groupmod -g to change a GID, the file system does not automatically update the group ownership of files previously owned by that group. Those files will retain the old numeric GID (e.g., 1005), resulting in a state where they have “no owner group” or inaccessible permissions. You must manually fix these permissions using the method described in the Advanced Usage section.
Impact of Renaming
Using the -n option to rename a group is generally safe because the underlying GID remains the same, meaning file permissions are not affected. However, you must manually update any configuration files (such as /etc/sudoers) that reference the group by its old name.
Active Login Sessions
If a user belonging to the modified group is currently logged in, the changes will not take effect until they log out and log back in.
Advanced Usage
Fixing File Ownership After GID Change
After changing a GID, you need to search the system for files still assigned to the old GID (in this case, 1005) and update them to the new GID (2026) or the new group name.
BASH
# Search for files with the old GID (1005) and change them to the new group (mori_prod)
sudo find / -gid 1005 -exec chgrp mori_prod {} \;
Note: Searching from the root directory (/) can be slow. It is recommended to narrow the scope to specific directories like /home or /var.
Summary
The groupmod command is the primary tool for renaming groups and modifying their IDs. While renaming with the -n option is a low-risk operation, changing the ID with the -g option directly affects file system consistency. Administrators must remember that changing a GID is a two-step process: running the groupmod command and then immediately running a find command to correct the file ownership on the disk.
