Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Changes to group membership not respected by existing sessions

I'm encountering an odd behavior with Linux permissions and group membership that's got me scratching my head. Here's the situation:

  1. I have two users: alice and bob

    alice@KAL:~$ id alice
    uid=3000(alice) gid=3000(alice) groups=3000(alice)
    alice@KAL:~$ id bob
    uid=3001(bob) gid=3001(bob) groups=3001(bob)
    
  2. In alice's home directory, there is a subdirectory that I want to give write permission to bob.

    (as alice)
    alice@KAL:~$ mkdir shared
    alice@KAL:~$ chmod g+w shared
    alice@KAL:~$ ls -l
    total 4
    drwxrwxr-x 2 alice alice 4096 2012-05-15 23:56 shared
    
  3. I add group alice (gid=3000) as one of bob's secondary groups

    (as root)
    root@KAL:~# id bob
    uid=3001(bob) gid=3001(bob) groups=3001(bob)
    root@KAL:~# usermod -G 3000 bob
    root@KAL:~# id bob
    uid=3001(bob) gid=3001(bob) groups=3001(bob),3000(alice)
    
  4. I open a new terminal, and su as bob, and test my permissions in alice's home directory.

    (initially as kp, su'ing as bob)
    kp@KAL:~$ sudo su bob
    bob@KAL:/home/kp$ cd /home/alice
    bob@KAL:/home/alice$ ls -l
    total 4
    drwxrwxr-x 2 alice alice 4096 2012-05-15 23:56 shared
    bob@KAL:/home/alice$ touch test
    touch: cannot touch `test': Permission denied    <-- fails as expected
    bob@KAL:/home/alice$ cd shared
    bob@KAL:/home/alice/shared$ touch test     <-- succeeds as expected
    bob@KAL:/home/alice/shared$ ls -l
    total 0
    -rw-r--r-- 1 bob bob 0 2012-05-16 00:02 test
    
  5. In a separate terminal, and as root, I revoke bob's membership in group alice.

    (root)
    root@KAL:~# usermod -G 3001 bob
    root@KAL:~# id bob
    uid=3001(bob) gid=3001(bob) groups=3001(bob)
    
  6. Now, going back to the terminal where I'm su'ed as bob, it's clear that the membership revocation is recognized but not respected.

    (as bob)
    bob@KAL:/home/alice/shared$ id bob
    uid=3001(bob) gid=3001(bob) groups=3001(bob)   <-- group 3000 no longer secondary group
    bob@KAL:/home/alice/shared$ touch test2        <-- should fail
    bob@KAL:/home/alice/shared$ ls -l
    total 0
    -rw-r--r-- 1 bob bob 0 2012-05-16 00:02 test
    -rw-r--r-- 1 bob bob 0 2012-05-16 00:20 test2
    bob@KAL:/home/alice/shared$ rm test            <-- this should also fail
    bob@KAL:/home/alice/shared$ ls -l
    total 0
    -rw-r--r-- 1 bob bob 0 2012-05-16 00:20 test2
    
  7. If I now exit, and su as bob again, the change is group membership is now respected.

    (as bob)
    bob@KAL:/home/alice/shared$ exit
    exit
    kp@KAL:~$ sudo su bob
    bob@KAL:/home/kp$ cd /home/alice/shared
    bob@KAL:/home/alice/shared$ ls -l
    total 0
    -rw-r--r-- 1 bob bob 0 2012-05-16 00:20 test2
    bob@KAL:/home/alice/shared$ touch test3
    touch: cannot touch `test3': Permission denied   <-- now fails as expected
    bob@KAL:/home/alice/shared$ id bob
    uid=3001(bob) gid=3001(bob) groups=3001(bob)
    bob@KAL:/home/alice/shared$ 
    

Is this some artifact of using su? Are group memberships only determined at start of the shell?

(This is on a machine running Ubuntu Maverick 10.10 x86_64 2.6.35-32-generic and running bash shell.)

like image 436
KP. Avatar asked Oct 07 '22 19:10

KP.


1 Answers

Group memberships persist during sessions as they are applied to a process, i.e., your current shell.

like image 121
scai Avatar answered Oct 10 '22 11:10

scai