508

Which command should I use to remove a user from a group in Debian?

When adding a user to a group, it can be done with:

usermod -a -G group user

However, I could not find a similar command (accepting a group and user as arguments) for removing the user from the group. The closest I could get is:

usermod -G all,existing,groups,except,for,group user

Is there a command like usermod OPTION group user with OPTION an option to make usermod (or a similar program) remove the user from group?

Lekensteyn
  • 20,830
  • 3
    For Fedora users who end up here, man usermod reveals in -G option comments that a listing all current groups wish to be retained IS the way to delete a group. No -R option with Fedora; you must use Lekensteyn's approach he is trying to avoid. – Stephen Mar 25 '16 at 20:54
  • 1
    usermode -r USER -G GROUP works in debian . – alireza Dec 10 '23 at 10:46

11 Answers11

614

You can use gpasswd:

# gpasswd --delete user group

The new group config will be assigned at the next login. If the user is logged in, the effects of the command aren't seen immediately.

tshepang
  • 65,642
  • 20
    Perfect thanks! gpasswd -a user group for adding the user to the group seems also nicer, especially if a typo has made and the -a option gets dropped. – Lekensteyn Jan 20 '12 at 16:43
  • 2
    Is there a way to make the change take effect without having to re-login? – Andy Fusniak Aug 11 '16 at 15:49
  • Interestingly, using this to remove the user from the nogroup group (in Ubuntu 18.04 LTS), did not really remove the user from the group, even though the command itself succeeded. (It was a --system account and there were no logins. I had to remove the account completely and then add it again.) – code_dredd Nov 15 '18 at 19:55
  • It took a whole restart for me to leave the "docker" group, somehow (Ubuntu 22.04). After logout + re-login, the output of "groups" still showed docker, and I could still call docker commands without sudo. – RobertG Jun 30 '22 at 09:19
240

On Debian, the adduser package contains a deluser program which removes a user from a group if you pass both as arguments:

deluser user group

If your distribution doesn't have adduser, you can edit /etc/group and /etc/gshadow manually.

vigr
vigr -s
Gilles 'SO- stop being evil'
  • 829,060
96
usermod -G "" username

removes all secondary/supplementary groups from username, leaving them as a member of only their primary group. this worked in Solaris 5.9

user208145
  • 2,485
  • And this seems to be the best way to force the secondary groups to any list of groups, excluding all unlisted groups. – sage Aug 12 '16 at 17:53
  • if execute it being not the root, to see the updated group list with the command 'groups' you need to relogin. – user3804598 Feb 06 '21 at 17:06
  • 6
    Note the question asked to remove the user from "a group" not all groups. – miken32 Feb 16 '23 at 18:56
21

This is the “old school” approach...

Most *nix systems maintain group information into a plain text file /etc/group, where

  • each line contains the fields

    • group_name
    • password
    • GID, and
    • user_list

    delimited by the : character.

  • the user_list field is a list of user names, separated by commas.

Now suppose you want to remove a user named thisuser from a group named thatgroup.  Start by backing up /etc/group, then use the editor of your preference with su privileges to edit the file /etc/group and remove the thisuser reference from the thatgroup line entry, e.g.,

original line is something like this:

thatgroup:x:1274:someuser,thisuser,anotheruser

after editing should be left like this:

thatgroup:x:1274:someuser,anotheruser

As with all the other answers, this will not affect the user's current session(s), if any (i.e., if the user is currently logged in).  The change will take effect the next time the user logs in.

G-Man Says 'Reinstate Monica'
  • 22,870
p57
  • 211
  • 2
  • 3
  • 3
    vigr was already mentioned for editing /etc/group manually. My manual pages says that user names are separated by commas, not by colons. Rebooting is not necessary, you just need to re-login (or use newgrp). – Lekensteyn Dec 10 '14 at 16:24
  • To assist any non-Debian users hitting these shores looking for clues... this may be enough for Debian as per the scope of OP's question, but if you were using this for a *BSD OS, you would need to modify the plaintext file here as mentioned, then issue a pwd_mkdb -p /etc/master.passwd to actually put that list into use. – danno Jul 19 '18 at 17:43
3

The command to add a group to a user:

usermod -aG group user

The command to remove a group from a user is:

usermod -rG group user
AdminBee
  • 22,803
José Geraldo
  • 31
1

You can remove users from the group by executing usermod command without -a option. Example, by executing

usermod -G group1 username

will add the user to the group1, and will remove it from any other groups where it is. Remember, you can keep users in various groups by listing the group's names, separated with a comma.

tshepang
  • 65,642
Helper
  • 27
  • 1
1

You can use the below command on SUSE distributions (and, apparently, no others).

usermod -R group user_name

where group is the group that you want to remove the user from and user_name the user that you want to remove from the group. For example,

usermod -R root imnottheroot
G-Man Says 'Reinstate Monica'
  • 22,870
Stavros Fan Koutsouropoulos
  • 27
  • 1
  • 2
    What package provides your usermod binary? I'm asking to find out the version, as mine from shadow-utils-4.1.4.3 does not provide the -R option. – myroslav Oct 17 '13 at 10:42
  • 4
    My shadow 4.1.5.1-5 package (Arch Linux) does have an -R option, but that means something else. It's not Linux I guess. – Lekensteyn Oct 17 '13 at 14:51
  • 4
    I'm not sure this will work. The manpage is saying that -R is: "-R, --root CHROOT_DIR Apply changes in the CHROOT_DIR directory and use the configuration files from the CHROOT_DIR directory. " – MikeKusold Jul 08 '14 at 23:34
  • 3
    The only things sort of related I could find was this oracle manpage, but that's still not about the same thing, so this answer should maybe be removed. – remmy Oct 05 '14 at 22:03
  • 1
    sudo usermod -R admin jenkins usermod: invalid chroot path 'admin' – Jonathan Oct 20 '14 at 17:18
0

On OpenBSD

usermod -S "" user
Volodymyr Boiko
  • 101
  • 2
-1
pw groupmod "groupname|gid" -d "username|uid"

A solution if you are using CSH, for whatever reason.

james
  • 1
-1

Consider:

  • username: abc2

  • group name: newgroup11

  • Task: Removing user abc2 from group newgroup11

[root@home1 ~]# groups abc2
abc2 : abc2
[root@home1 ~]# usermod -G newgroup11 abc2
[root@home1 ~]# groups abc2
abc2 : abc2 newgroup11
[root@home1 ~]# usermod -G newgroup11 abc2
[root@home1 ~]# usermod -G abc2 abc2
[root@home1 ~]# groups abc2
abc2 : abc2

** Kindly correct me if I am wrong. **

G-Man Says 'Reinstate Monica'
  • 22,870
new user
  • 7
  • 4
    This "works", but only because you have a single secondary group. usermod -G newgroup11 abc2 will put you in the secondary group newgroup11. Since the primary group is abc2, you will end up in both groups. usermod -g abc2 abc2 results in newgroup11 being removed from the secondary groups because it is not mentioned anymore. So for three or more different groups, this method won't work. See the other answers involving gpasswd for a better command. – Lekensteyn Jan 17 '15 at 22:56
-1

To continue using usermod in a distro (like Fedora) which does not have a remove option, where user=bob and group=deletethisgroup, command would be:

usermod -G `cat /etc/group |  grep bob | grep -v deletethisgroup | cut -d ':' -f 1 | tr '\n' ',' | sed 's/,$//'` bob

The pipes (1) get all group entries user belongs to, (2) take out the one which needs to be removed, (3) returns first column (group name), replaces newline with comma, and removes trailing comma.

Of course, you could put all that in a bash script which takes user and group to be deleted as parameters. awk could be used to shorten the end but I wanted to stick to grep, cut, tr and sed.

Stephen
  • 99
  • According to this man page, gpasswd -d bob deletethisgroup is available too. Any reason why you are not using it? – Lekensteyn Mar 27 '16 at 00:08
  • Not everyone wants to set up group passwords. I was just offering a solution using the command that was referenced by the question on a particular distro. in Fedora/RHEL/Centos with gpasswd -d the removed user can still join the group if he has access to the password. It actually increases group access as opposed to disallowing it. – Stephen Mar 27 '16 at 04:11
  • I understood that the utility is named gpasswd because it is closely related to /etc/passwd, but instead manages groups. Unlike the plain passwd command which just controls passwords, gpasswd can also be used to manage membership of a group. A group password is not required if you are root or a group administrator. – Lekensteyn Mar 27 '16 at 15:46
  • Did you read the gpasswd manual? For Fedora/RHEL/CentOS, if you read the manual, it is stated that the command "is used to administer /etc/group, and /etc/gshadow". It actually has no effect on /etc/passwd. Manual also states "Group passwords are an inherent security problem since more than one person is permitted to know the password." It does not actually manage membership of a group, it opens the group up to ANY user with the password. A group password is not required if you are already a MEMBER of the group. – Stephen Mar 28 '16 at 02:19
  • Closely related was in the sense of similar naming and purposes, I did not imply that the /etc/passwd file is actually managed by gpasswd. Note that "man page" in my first comment points to the gpasswd manual page for Fedora 13. Using gpasswd $group you can set the group password which causes the security issue you mentioned. However you can also not have a password and use gpasswd -d $user $group to delete a user as described in the first comment and accepted answer. Note that this command does not prompt for a group password nor does it modify or require it. – Lekensteyn Mar 28 '16 at 20:42