For various administrative purposes, in particular, controlling access to files and other system resources, it is useful to organize users into groups.
The set of groups to which a user belongs is defined by the combination of the group ID field in the user’s password entry and the groups under which the user is listed in the group file. This strange split of information across two files is historical in origin. In early UNIX implementations, a user could be a member of only one group at a time. A user’s initial group membership at login was determined by the group ID field of the password file and could be changed thereafter using the newgrp(1) command, which required the user to supply the group password (if the group was password protected). 4.2BSD introduced the concept of multiple simultaneous group memberships, which was later standardized in POSIX.1-1990. Under this scheme, the group file listed the extra group memberships of each user. (The groups(1) command displays the groups of which the shell process is a member, or, if one or more usernames are supplied as command-line arguments, then the group memberships of those users.)
The group file, /etc/group, contains one line for each group in the system. Each line consists of four colon-separated fields, as in the following examples:
users:x:100: jambit:x:106:claus,felli,frank,harti,markus,martin,mtk,paul
In order, these fields are as follows:
Group name: This is the name of the group. Like the login name in the password file, we can consider this to be the human-readable (symbolic) identifier corresponding to the numeric group identifier.
Encrypted password: This field contains an optional password for the group. With the advent of multiple group memberships, group passwords are nowadays rarely used on UNIX systems. Nevertheless, it is possible to place a password on a group (a privileged user can do this using the gpasswd command). If a user is not a member of the group, newgrp(1) requests this password before starting a new shell whose group memberships include that group. If password shadowing is enabled, then this field is ignored (in this case, conventionally it contains just the letter x, but any string, including an empty string, may appear) and the encrypted passwords are actually kept in the shadow group file, /etc/gshadow, which can be accessed only by privileged users and programs. Group passwords are encrypted in a similar fashion to user passwords (Password Encryption and User Authentication).
Group ID (GID): This is the numeric ID for this group. There is normally one group defined with the group ID 0, named root (like the /etc/passwd record with user ID of 0, but unlike the user ID 0, this group has no special privileges). On Linux 2.2 and earlier, group IDs are maintained as 16-bit values, allowing the range 0 through to 65,535; on Linux 2.4 and later, they are stored using 32 bits.
User list: This is a comma-separated list of names of users who are members of this group. (This list consists of usernames rather than user IDs, since, as noted earlier, user IDs are not necessarily unique in the password file.)
To record that the user avr is a member of the groups users, staff, and teach, we would see the following record in the password file:
avr:x:1001:100:Anthony Robins:/home/avr:/bin/bash
And the following records would appear in the group file:
users:x:100: staff:x:101:mtk,avr,martinl teach:x:104:avr,rlb,alc
The fourth field of the password record, containing the group ID 100, specifies membership of the group users. The remaining group memberships are indicated by listing avr once in each of the relevant records in the group file.