Is a reboot required to refresh permissions after adding a user to a new group?

Question

On ubuntu server, I've noticed more than once now that after adding a user to a group that user doesn't have group permissions until I reboot the system. For example:

User 'hudson' needs permission to read directory 'root:shadow /etc/shadow' So I add hudson to the shadow group. hudson still cannot read. So, I 'sudo shutdown -h -r now' and when the system comes up again user hudson can read.

Is a reboot required or is there a better way to get permissions applied after adding the user to the group?

Answer 1

I was looking for a solution, came across this post, and then later found one!

I'd thought I'd actually offer a solution so others can benefit. Logging in and out is so 1995.

Taken from:

https://arkaitzj.wordpress.com/2010/03/08/linux-add-user-to-a-group-without-logout/

So if you needed to get permissions for the cdrom group you just added your user to:

newgrp cdrom 

for example

So the steps would be:

#adduser my_user cdrom

and then

$newgrp cdrom

I've confirmed that it works.

A simple $groups check from the CLI shows the user is in the group. And a quick execution with needed privileges from that group works.

No need to kill your windows and login and logout! Hope that helps others!

Additional Information (based on jytou's helpful comment): "[This] solution will work only for the current opened shell. If you have another shell open, you'll need to use the same command to take the changes into account."

Answer 2

When adding a user to a new group, the user must log out and log back in for it to take affect. While a reboot will accomplish that, it should not be required.

Answer 3

Adding a user to a group does not effect currently logged in users.

In the case of a daemon, you need to restart it for new groups to be applied.

Furthermore, restarting the daemon using an option in the daemon itself will not work as that will inherit the current environment.

The easiest way to get it to work is to fully stop the daemon and start it again, as in..

/etc/init.d/foo stop ; /etc/init.d/foo start

Answer 4

that is much more easiere, you can check your current access level by typing:

id

to reload your groups you just need:

su - $USER

after that check access level again:

id

and you will see new group is now active.

Answer 5

There's a different failure mode which should also be addressed here.

If the admin updated /etc/group but failed to update /etc/gshadow (on systems which have this setup), logging out and back in will not actually assign you to the new group.

Confusingly, groups will show you the real, current situation, whereas id will incorrectly print output which indicates that you are properly a member of the group.

tripleee@vbvntv$ groups
tripleee

tripleee@vbvntv$ id
uid=1234(tripleee) gid=1234(tripleee) groups=1234(tripleee),4(adm)

tripleee@vbvntv$ ls -l /var/log/mail.log
-rw-r----- 1 root adm 15728 May 26 14:26 /var/log/mail.log

tripleee@vbvntv$ tail /var/log/mail.log
tail: cannot open `/var/log/mail.log' for reading: Permission denied

I can't use newgrp because it asks for a password, and I don't have a password, only SSH public key authentication.

The solution would be for the admin to revert the manual edit of /etc/groups and then do it again with sudo gpasswd -a tripleee adm; or alternatively, to use grpconv to merge the changes (which I picked up from https://serverfault.com/a/389719/98333)