I changed permissions of a file (chmod g+w testfile) and running ls -l testfile gives:
-rwxrwxr-x 1 user1 user1 0 2011-01-24 20:36 testfile
I then added a user to that group ("/etc/group" has user1:x:1000:user2 line), but am failing to edit that file as user2. Why is this so?
user2 needs to log out and back in. Group permissions work this way:
/etc/passwd, plus all the groups where your user is mentioned in /etc/group. (More precisely, the pw_gid field in getpw(your_uid), plus all the groups of which your user is an explicit member. Beyond /etc/passwd and /etc/group, the information may come from other kinds of user databases such as NIS or LDAP.) The main group becomes the process's effective group ID and the other groups become its supplementary group IDs.As you can see, your change to the user's group membership only takes effect when the user logs in. For running processes, it's too late. So the user needs to log out and back in. If that's too much trouble, the user can log in to a separate session (e.g. on a different console, or with ssh localhost).
Under the hood, a process can only ever lose privileges (user IDs, group IDs, capabilities). The kernel starts the init process (the first process after boot) running as root, and every process is ultimately descended from that process¹. The login process (or sshd, or the part of your desktop manager that logs you in) is still running as root. Part of its job is to drop the root privileges and switch to the proper user and groups.
There's one single exception: executing a setuid or setgid program. That program receives additional permissions: it can choose to act under various subsets of the parent process's memberships plus the additional membership in the user or group that owns the setxid executable. In particular, a setuid root program has root permissions, hence can do everything²; this is how programs like su and sudo can do their job.
¹
There are occasionally processes that aren't derived from init (initrd, udev) but the principle is the same: start as root and lose privileges over time.
²
Barring multilevel security frameworks such as SELinux.
Thanks to this knowledge, I was able to get the right permissions without logging out just by reloading Finder (holt alt while right clicking on it in the Dock), then re-launching Terminal from Finder.
– Chris Oct 12 '21 at 00:21You might need to have user2 log out and back in (or just try ssh'ing in to create a new login session). Check the output of id --groups to show the numeric group ids for a user.
sudo su $(whoami)
Essentially the same workaround as ssh localhost, but usable without having an ssh server installed.
So long as you have root . But if you've just added a new group & changed permissions, you likely do.
The newgrp command can be used. It enabled the user to temporarily (in a new shell) change their primary group to a specified value.
Add the user1 group to user2
sudo usermod -a -G user1 user2
As user2 call newgrp user1
user2% newgrp user1
user2% id
uid=1001(user2) gid=1000(user1)
groups=1000(user1),...,1001(user2)
then user2's primary group will immediately be user1, and a file write will result as user1 being the group owner. However, the primary group specified in /etc/passwd is not changed.
As user2 call newgrp user1 again
user2% newgrp user2
user2% id
uid=1001(user2) gid=1001(user2)
groups=1001(user2),...,1000(user1)
and user2's primary group will immediately be set back to user2, while user2 will still belong to group user1. This is the effect that was initially expected from sudo usermod -a -G user1 user2, but did not happen immediately. In this state a file write will result as user2 being the group owner.
newgrp results in a new shell. In bash this results in incrementing the value of the environment variable SHLVL by 1. After exiting the shell created by newgrp the effects are reversed, with no side effects. For that reason there still might conceivably be use cases where logout/reboot or some other solution is required, so I leave my previous answer below, which worked when logout didn't work, and avoided having to reboot. However, in practice, I find that newgrp is sufficient to cover every use case I face.I found that the selected answer's suggestion
user2 needs to log out and back in. ... The kernel starts the init process (the first process after boot) running as root, and every process is ultimately descended from that process [and so it needs to be killed by logging out]
didn't work in Ubuntu 20.04 from the "Logout" GUI option, and that after logging out and back in this 'init' process with an older start time was remaining
root 1 0.0 0.1 168096 11744 ? Ss 12:45 0:02 /sbin/init
Killing that might solve it, but I didn't do that, instead I killed this user process which also had an older timestamp
craig 1790 0.0 0.0 169360 3784 ? S 12:46 0:00 (sd-pam)
simply because of my weak understanding that "pam" is a module for authenticating users. It worked, and thereafter id showed self with the correct group permissions.
Failure of logout to solve problem might (or might not) be related to systemd. I think maybe so after reading this.
(sd-pam) must be restarted after a logout, presumably because the authorizations that thread manages have not been updated.
– Craig Hicks
Oct 11 '20 at 23:33
systemd, because (sd-pam) is systemd related process, as indicated by the obscure reference. An answer for a subset of of the class Unix & Linux is also valuable.
– Craig Hicks
Oct 11 '20 at 23:41
(sd-pam) process (verifiably killed) has no impact, neither good nor bad. Also after logout (truly logout, not switch user) and login.
– Frank N
Feb 14 '21 at 16:33
There is a case when user logout does not help - if you are using ControlMaster ssh directive for the host. If you add your account to a group, logoff and logon again within the same ControlMaster connection, the session will still be showing you no new membership. You will have to forcibly break the Master connection with
ssh -O exit hostname
before loggin on again.
su seems to be enough in some cases, no need to sudo.
If there are any drawbacks, it would be interesting to know, please comment.
su --login $(whoami)
From man su:
su allows to run commands with a substitute user and group ID.
su [options] [-] [user [argument...]]
It is recommended to always use the
--loginoption (instead of its shortcut-) to avoid side effects caused by mixing environments.
-, -l, --login Start the shell as a login shell with an environment similar to a real login:
TERM and variables--whitelist-environmentHOME, SHELL, USER, LOGNAME, and PATHargv[0] of the shell to '-' in order to make the shell a login shell
You need to "reload" the groups of the current user. If you want to do it without having to start a new shell use the following command:
exec su -l $USER
exec replaces the current process image with a new process image, that is defined by the su -l $USER command, which is basically a new shell for the current user
I can confirm, that under Ubuntu-MATE 20.04 x64 LTS nothing but reboot helps. Logout (truly, not switch user…) is not enough. All newgrp tricks are limited as expected to that one terminal.
What did work?
sudo loginctl terminate-user <user>
Panels + Plank dissappear immediately. (Naturally, all your other stuff should be long saved and closed when you do this.) Background and your terminal shell stay around for another 10 seconds or so, a bit “stunned” and unresponsive (feels a bit like a killall mate-settings-daemon...), before you get kicked …err logged out.
Logging in again and you get the $> groups you always wanted... <3
Kudos to this solution on askubuntu.
Further plausible explanation in same thread. (tl;dr: some user-related task do not truly end upon logout but hang around... kill them while in the greeter, using a pure text session might be another option...)
