This answer assumes you use exclusively portable group and user identifiers as defined by the POSIX™ standard.
If you exclusively care about explicit group membership, i. e. statements “group X contains members …” as defined via an
/etc/groupfile, you can use:- Excluding network user accounts:
pw group show operator # or groupshow - Including users from other database sources as defined by
/etc/nsswitch.conf:getent group family
Either output can be filtered into a more readable form:
… | cut -d':' -f4 | tr ',''' | fmt- Excluding network user accounts:
If you want to learn about group membership including the primary group as defined via the 4th field of the traditional
passwdtext file database format, you need to either- ensure all such group membership definitions are logged explicitly (and redundantly) in
/etc/group, too, - or deduce this information from available data.
The former is not recommended or supported.The latter can be achieved in multiple ways.
- Write a shell script such as:
Or a bit slower since you need to repeatedly spawn a process (#!/bin/sh -u# name: members# description: show members of a group, or nothing in case of unknown groups# maintainer: J Doe <mailbox@host> # fill in in multi-sysadmin environmentsgetent group "${1:-}" | { # Determine the numeric group identifier and get explicit group members. # NB: Shell variables may experience a size limit. IFS=':' read -r group_name group_password group_identifier group_members # Now find implicit group members using the numeric group identifier. getent passwd | grep "^..*:..*:..*:${group_identifier}:" | cut -d':' -f1 # Since the preceding pipeline prints each user name on its own line, # print `${group_members}` one line each, too. [ "${group_members}" ] && printf '%s\n'"${group_members}" | tr ',''\n'} | sort -u # | { tr '\n''' ; printf '\n' ; } # if you prefer# EOFid):
The latter implementation may be useful if you have group names following a certain pattern, e. g.#!/bin/sh -u# name: members# description: show members of a group, the group name matching a shell pattern# maintainer: B Bourque <mailbox@host> # fill in in multi-sysadmin environments# In shell patterns asterisks expand to strings of any length (including 0).# The surrounding spaces are necessary for anchoring.expression="* ${1:?Error: Specify one group name as argument.} *"getent passwd | while IFS=':' read -r username remainderdo # `id -G` obtains all groups a user belongs to, # including the primary group specified in `passwd`. # The `-n` flag resolves numeric IDs to textual representations. groups=" $(id -Gn ${username}) " # The `##` means “remove largest prefix pattern”. # If the string becomes an empty string by this operation, # `[ "" ]` returns `false` so the `||` (“or else”) applies. [ "${groups##${expression}}" ] || printf '%s\n'"${username}"done | sort# EOFdepartmentX,departmentY,departmentZ.If you want to find users belonging to any department, you can invoke the script as./members.sh 'department*' # '…' to inhibit expansion in the invoking shell - If you have the
shells/bash,shells/zshor other feature‑rich shell port installed, you can perform text file operations using process substitution.Process substitution is the language construct of choice, because thejoinutility can handle at most one pipe (-for standard input) as parameter.Replaceoperatoras appropriate.join -t':' -1'1' -2'2' -a1 \<(getent group operator | cut -d':' -f3,4 ) \<(getent passwd | cut -d':' -f1,4 | sort -t':' -k2) \ | cut -d':' -f3- | tr ',:'''
- ensure all such group membership definitions are logged explicitly (and redundantly) in
Keep in mind that UNIX groups are not the only way supplying capabilities.For example:
- Files can have ACLs.
- Executable files can have the set‑group‑ID bit set.