Changes to group membership not respected by existing sessions

Question

I'm encountering an odd behavior with Linux permissions and group membership that's got me scratching my head. Here's the situation:

I have two users: alice and bob

alice@KAL:~$ id alice
uid=3000(alice) gid=3000(alice) groups=3000(alice)
alice@KAL:~$ id bob
uid=3001(bob) gid=3001(bob) groups=3001(bob)

In alice's home directory, there is a subdirectory that I want to give write permission to bob.

(as alice)
alice@KAL:~$ mkdir shared
alice@KAL:~$ chmod g+w shared
alice@KAL:~$ ls -l
total 4
drwxrwxr-x 2 alice alice 4096 2012-05-15 23:56 shared

I add group alice (gid=3000) as one of bob's secondary groups

(as root)
root@KAL:~# id bob
uid=3001(bob) gid=3001(bob) groups=3001(bob)
root@KAL:~# usermod -G 3000 bob
root@KAL:~# id bob
uid=3001(bob) gid=3001(bob) groups=3001(bob),3000(alice)

I open a new terminal, and su as bob, and test my permissions in alice's home directory.

(initially as kp, su'ing as bob)
kp@KAL:~$ sudo su bob
bob@KAL:/home/kp$ cd /home/alice
bob@KAL:/home/alice$ ls -l
total 4
drwxrwxr-x 2 alice alice 4096 2012-05-15 23:56 shared
bob@KAL:/home/alice$ touch test
touch: cannot touch `test': Permission denied    <-- fails as expected
bob@KAL:/home/alice$ cd shared
bob@KAL:/home/alice/shared$ touch test     <-- succeeds as expected
bob@KAL:/home/alice/shared$ ls -l
total 0
-rw-r--r-- 1 bob bob 0 2012-05-16 00:02 test

In a separate terminal, and as root, I revoke bob's membership in group alice.

(root)
root@KAL:~# usermod -G 3001 bob
root@KAL:~# id bob
uid=3001(bob) gid=3001(bob) groups=3001(bob)

Now, going back to the terminal where I'm su'ed as bob, it's clear that the membership revocation is recognized but not respected.

(as bob)
bob@KAL:/home/alice/shared$ id bob
uid=3001(bob) gid=3001(bob) groups=3001(bob)   <-- group 3000 no longer secondary group
bob@KAL:/home/alice/shared$ touch test2        <-- should fail
bob@KAL:/home/alice/shared$ ls -l
total 0
-rw-r--r-- 1 bob bob 0 2012-05-16 00:02 test
-rw-r--r-- 1 bob bob 0 2012-05-16 00:20 test2
bob@KAL:/home/alice/shared$ rm test            <-- this should also fail
bob@KAL:/home/alice/shared$ ls -l
total 0
-rw-r--r-- 1 bob bob 0 2012-05-16 00:20 test2

If I now exit, and su as bob again, the change is group membership is now respected.

(as bob)
bob@KAL:/home/alice/shared$ exit
exit
kp@KAL:~$ sudo su bob
bob@KAL:/home/kp$ cd /home/alice/shared
bob@KAL:/home/alice/shared$ ls -l
total 0
-rw-r--r-- 1 bob bob 0 2012-05-16 00:20 test2
bob@KAL:/home/alice/shared$ touch test3
touch: cannot touch `test3': Permission denied   <-- now fails as expected
bob@KAL:/home/alice/shared$ id bob
uid=3001(bob) gid=3001(bob) groups=3001(bob)
bob@KAL:/home/alice/shared$

Is this some artifact of using su? Are group memberships only determined at start of the shell?

(This is on a machine running Ubuntu Maverick 10.10 x86_64 2.6.35-32-generic and running bash shell.)

scai · Accepted Answer

Group memberships persist during sessions as they are applied to a process, i.e., your current shell.

Changes to group membership not respected by existing sessions

Answers (1)

Related Questions