# Add new user to multiple groups using pw.



## Phishfry (Jul 22, 2020)

I am trying to build a function for adding a new user to a NanoBSD build.
What I am unsure about is the `pw` -g or -G command option.





						pw(8)
					






					www.freebsd.org
				




I have two groups I want to add the user to. They are wheel and operator.
-G provides a secondary group comma delineated list of groups where as -g provides a 'primary' group.
So which of these is correct ?
`pw adduser -n gui -c 'gui' -d /gui -G wheel,operator -m -s /bin/tcsh -w none`
Or
`pw adduser -n gui -c 'gui' -d /gui -g wheel -G operator -m -s /bin/tcsh -w none`


I may also have to add a video group as well.
`pw adduser -n gui -c 'gui' -d /gui -g wheel -G operator,video -m -s /bin/tcsh -w none`


----------



## memreflect (Jul 23, 2020)

In my unprofessional opinion, you should prefer `-G` over `-g`.

When you use the `-g` option, the newly created user will not be added to the member list of that group in the group(5) file, unlike with `-G`:

```
ROOT# grep foo /etc/group
ROOT# pw useradd -n foo -w none && grep foo /etc/group
foo:*:1002:
ROOT# pw useradd -n bar -g foo -w none && grep foo /etc/group
foo:*:1002:
ROOT# pw useradd -n quux -G foo -w none && grep foo /etc/group
foo:*:1002:quux
ROOT# su bar
$ groups
foo
$ exit
```

Additionally, if the member list for a group is empty in /etc/group, as it was before user *quux* was added above, deleting a user with the same name as the group will delete the group from /etc/group.  This can be accomplished by first deleting user *quux*, then user *foo*.  Note that the primary login group of user *bar* is still the GID of the deleted group named _foo_:

```
ROOT# grep foo /etc/group
foo:*:1002:quux
ROOT# pw userdel -n quux && grep foo /etc/group
foo:*:1002:
ROOT# pw userdel -n foo && grep foo /etc/group
ROOT# su bar
$ groups
1002
$ exit
```
Tools that rely on group names will break when this sort of scenario occurs.

On the other hand, if user *foo* was deleted first, group _foo_ would persist, even after deleting users *bar* and *quux*, because *quux* was a member of group _foo_ when you deleted user *foo*, which would mean you'd have a useless entry in /etc/group once all users of that group were removed.  While you'd potentially have useless entries with `-G` as well, it will at least avoid the situation where the group name disappears for users that continue to use the group.

*EDIT*
I feel I should also mention that other than that aspect, there's seemingly little difference between the primary login group specified with `-g` and supplementary groups specified with `-G`.  According to passwd(5):


> The group field is the group that the user will be placed in upon login.
> Since this system supports multiple groups (see groups(1)) this field
> currently has little special meaning.



Unless I'm missing something, `-G` is definitely the way to go.  If you don't like the user-specific groups that serve no purpose, you can always create a new group just for users and specify that as the primary login group (e.g. `-g _users`; hopefully no user is named *_users*).


----------



## aragats (Jul 23, 2020)

memreflect said:


> there's seemingly little difference between the primary login group specified with  -g and supplementary groups specified with  -G


It's happened to me a couple of times that a piece of software refused to run by a user whose primary group was "wheel". Now I cannot remember what software it was.


----------



## Phishfry (Jul 23, 2020)

It seems that the -G option is working fine for me.

cust_gui_user() (
pw -V ${NANO_WORLDDIR}/etc/ adduser -n gui -c 'gui' -d /gui -G wheel,operator -m -s /bin/tcsh -w none
)


----------



## memreflect (Jul 23, 2020)

aragats said:


> It's happened to me a couple of times that a piece of software refused to run by a user whose primary group was "wheel". Now I cannot remember what software it was.


On FreeBSD, the primary group for the *root* and *toor* users is “wheel”, so maybe it was software that cannot run as root?  Whatever it was, nothing in the OS seems to have such a problem, so it was a conscious choice to make the software behave that way.

It's worth mentioning, however, that security(7) recommends against setting a user's primary group to “wheel”, so that would be an insecure solution anyway as they'd be able to use su(1) and would just need the password to gain root access:


> One way to make root accessible is to add appropriate staff accounts
> to the “wheel” group (in /etc/group). The staff members placed in the
> wheel group are allowed to su(1) to root. You should never give staff
> members native wheel access by putting them in the wheel group in
> ...


----------



## Mjölnir (Jul 23, 2020)

`pw usermod <user> -G <groups>` replaces _all_ existing secondary groups for that user.  In many cases, it is preferable to use `pw groupmod <group> -m <newmembers>` instead.  I.e. the last command inside a
`for grp in $groups; do pw groupmod $grp -m $user; done` loop.


----------



## VladiBG (Jul 23, 2020)

If you omit the "-g" when you creating a new users a group with the same username will be created.


----------

