Linux Group Permissions not being enforced correctly.

I am running Ubuntu 10.04 server and am having some very counter-intuitive experiences with users/groups. For example:

sudo touch test_file                    # create empty file

sudo groupadd test                      # create 'test' group

sudo chown root:test test_file          # change group of file to 'test'

sudo chmod g+rwx test_file              # give write permissions to group

sudo usermod -a -G test {my-user}       # add my user to 'test' group

touch test_file                         # touch the file as my current user

The last line produces a permissions error.

I have ensured that my user is part of the 'test' group (groups {my-user} confirms this). The group of test_file is also definitely set to 'test' and the group permissions are set.

Why can't my user write to the file test file?

Gordon

Posted 2010-07-27T18:32:53.797

Reputation: 357

Answers

When adding a user to a new group, that won't be applied in any currently-running processes, only new ones. You need to log out and then log back in.

Daenyth

Posted 2010-07-27T18:32:53.797

Reputation: 5 742

4or hack su - username into your running console. you dont have to logout to login this way :) – matthias krull – 2010-07-27T23:21:21.330

Both logging out and rebooting server methods didn't work for me.

This method however is working for me: (reference to this answer)

chmod g+rwxs <parent folder>

checksum

Posted 2010-07-27T18:32:53.797

Reputation: 1 304

1What does the +s part do? Thanks. – tommy.carstensen – 2017-01-06T11:36:40.650

1It sets the setuid bit. This allows a file to be run as the owner of the file. Suppose you have a file you want to run as root, no matter who the person is running the file, you would set the setuid bit for that file. – Julius – 2017-03-15T21:24:18.663

The key was x: looks like execution rights are needed for touch to work. – asac – 2018-05-19T20:35:29.427

You can use the newgrp command to change the user's current group ID. From man newgrp:

The newgrp command is used to change the current group ID during a login session. If the optional - flag is given, the user's environment will be reinitialized as though the user had logged in, otherwise the current environment, including current working directory, remains unchanged.

Paused until further notice.

Posted 2010-07-27T18:32:53.797

Reputation: 86 075

1This also has the effect of replacing your current group. It's not always a good idea. – Daenyth – 2010-07-27T23:09:54.507

I would downvote this if i could. Overwriting groups could be very frustrating in the future... esp. with -R option! – Edward – 2018-06-02T15:12:15.557

Reboot the computer to make sure no stuck processes are preventing your user and groups from being enforced correctly during logout and login.

These steps should be giving your user of group test the write permission on test_file

sudo touch test_file 
sudo groupadd test
sudo chown root:test test_file
sudo chmod g+rwx test_file
sudo usermod -a -G test {my-user}

Reboot the computer or do an Operating System logout of your user. A terminal restart is not enough.

touch test_file

The user can write to the file because it is a part of the 'test' group and the group has permission rwx.

Eric Leschinski

Posted 2010-07-27T18:32:53.797

Reputation: 5 303

3There is no requirement that you must reboot the computer. – Kevin Panko – 2013-11-27T16:50:28.083