Reload a Linux user's group assignments without logging out

377

110

When assigning a user's secondary group list using:

# usermod -G <grouplist> <user>

is it possible to force this group assignment to take effect without logging out all running sessions?

This would be very useful in the situation where a Screen session exists with many running shells, as the entire session essentially needs to be destroyed to make the group assignment take effect.

I think I can change the user's primary group in a running shell using the newgrp command - is there some alternative that would work for secondary groups?

Ideally, I'd want something that would take effect in each shell without being run manually in every one, but failing that, maybe some way of forcing Screen to execute the same command in each.

Simon

Posted 2011-04-17T19:50:06.473

Reputation: 4 232

I know that at least for some window / session managers it's possible to do this such that the session picks up the new group and it's available to any new processes started from the menus, panel buttons or whatever. I came here just now looking to find that again, so can't say just now how to do it, and it's probably specific to the window manager. – mc0e – 2015-11-09T14:27:17.137

Answers

221

Horribly hacky, but you could use two layers of newgrp to achieve this for a particular group:

id -g

...will give you the current primary group ID. We'll call this orig_group for the purposes of this example. Then:

newgrp <new group name>

...will switch you to that group as the primary and add it to the list of groups returned by groups or id -G. Now, a further:

newgrp <orig_group>

...will get you a shell in which you can see the new group and the primary is the original one.

This is horrible and will only get you one group added at a time, but it has helped me out a couple of times to get groups added without logging out/in my whole X session (e.g. to get fuse added as a group to a user so that sshfs will work).

Edit : This doesn't require you to type your password either, which su will.

Legooolas

Posted 2011-04-17T19:50:06.473

Reputation: 4 530

This also doesn't require a password, which su does. – Legooolas – 2015-06-19T08:07:49.213

2I found it was sufficient to do newgrp <new group name>. This was Ubuntu 14.04 – Edward Falk – 2016-03-18T21:42:46.777

5@EdwardFalk right, but you don't (might not) want to leave that group as your primary... – mimoralea – 2016-05-26T22:08:32.803

For new group name I had to specify the group that was missing from the first id. – Raffi – 2016-10-11T07:58:14.823

This doesn't seem to work... newgrp -<orig_group> will resolve to a login that doesn't include the <new_group_name>.. Are you sure this answer is still functional? – user3467349 – 2016-12-15T22:08:29.753

@user3467349 where does that dash - before <orig_group> come from? The command should be newgrp <orig_group> <== notice, no dash – pepoluan – 2016-12-16T15:24:22.430

The - was a typo but your answer 100% doesn't work. – user3467349 – 2016-12-27T13:02:48.787

try it: groupadd example_group; sudo usermod -aG example_group; original_group=$(id -gn); newgrp example_group; newgrp $original_group; than look at the output of groups. example_group is not in there. – user3467349 – 2016-12-27T13:09:33.463

4Note that each newgrp creates a new shell, so when you need to fully exit from your session you need to do "exit exit exit" to get all the way out (: – jwd – 2017-01-04T17:45:43.347

Didn't work on Ubuntu 18.04. Asked for password and failed. newgrp docker resulted in newgrp: failed to crypt password with previous salt: Invalid argument. su method below worked. – rickfoosusa – 2018-07-31T20:38:10.093

See https://stackoverflow.com/a/10080117/925978 for how to do this inside a script; you need heredocs.

– crockeea – 2019-05-01T21:58:00.430

2@jwd You can avoid exit; exit; exit you could use exec to replace the current shell like exec newgrp new_group, then exec newgrp orig_group. – Tacahiroy – 2019-09-06T06:41:49.590

6Nice trick, I like it – Simon – 2011-10-10T19:40:54.167

1On Fedora I had to do newgrp $USER instead of newgrp <orig_group>. That means I didn't have to find my original primary group ID, so it's even easier than this solution. – Richard Turner – 2014-01-03T17:08:01.247

400

From inside a shell, you can issue the following command

su - $USER

id will now list the new group:

id

stivlo

Posted 2011-04-17T19:50:06.473

Reputation: 4 417

1You can make the command slightly more generic like so: su - $USER – bmaupin – 2015-03-26T22:32:15.650

2This requires you to type a password though, which might be awkward/unwanted if you are trying to do it in lots of sessions. – Legooolas – 2016-04-15T13:20:34.887

Could you please explain what does this? Also would be great why is better or the differences with other solutions like newgrp - and exec su -l $USER. – Pablo A – 2017-07-23T17:32:32.960

The one below with exec is a bit better, doesn't create a subshell. – Gringo Suave – 2018-05-01T18:39:16.870

Note that you won't be able to run X applications without doing export DISPLAY=:0.0 after su - $USER. (Or replace ":0.0" with whatever echo $DISPLAY outputs.) – nijoakim – 2019-12-19T13:07:00.933

su - your_login is the most elegant and simple way. – Hermann Schwarz – 2020-01-10T09:01:26.170

3I think this the best approach in many cases, but the original poster did want to update multiple shells within a screen session. This solution would have be be done from each shell. – Adrian Ratnapala – 2011-12-13T08:57:50.717

4The original solution would also only fix a single shell session in screen. I just tested that. The reason this solution works is because you are spawning a complete new session rather than inheriting from the original environment. – Dror – 2014-02-06T05:24:46.643

168

This nifty trick from this link works great!

exec su -l $USER

I figured I'd post it here as every time I forget how to do this, this is the first link that come up in google.

jhaagsma

Posted 2011-04-17T19:50:06.473

Reputation: 1 828

19+1 for not putting the user in a subshell; you can logout/exit as usual with this. Also, if NOPASSWD: is set in /etc/sudoers, you can instead use exec sudo su -l $USER to avoid being prompted for password. – Ivan X – 2014-08-09T15:06:41.357

21Be advised: you'll be asked for a sudo password. If you get it wrong, your terminal will close. – Tyler Collier – 2015-02-26T18:57:15.777

1@TylerCollier Ivan did mention NOPASSWD: – pepoluan – 2016-12-16T15:27:04.930

This only works for an interactive shell, If you try to put it in a bash.sh script as soon as this command is run the script will stop. On this related question, https://unix.stackexchange.com/questions/18897/problem-while-running-newgrp-command-in-script, Gilles points out that this is just the way Linux processes work. Ansible will let you refresh group but it only works for ssh connections not localhost https://stackoverflow.com/questions/26677064/create-and-use-group-without-restart For localhost I've worked around it by using EC2's Userdata to pre-add the group before my first login.

– neokyle – 2019-12-30T04:15:51.073

1. Getting a shell with the new group without logging out and in again

If you're only adding one group, I used the following:

exec sg <new group name> newgrp `id -gn`

This is a variation on Legooolas's two-layer newgrp trick, but it is in one line and doesn't require you to manually enter your primary group.

sg is newgrp but accepting a command to execute with the new group ID. The exec means that the new shell replaces the existing shell, so you don't need to "logout" twice.

Unlike using su, you don't need to type in your password. It also doesn't refresh your environment (other than adding the group), so you retain your current working directory etc.

2. Executing the command in all Screen windows in a session

The at command in Screen runs a command in whatever windows you specify (note this is a Screen command, not a shell command).

You can use the following command to send the command to all an existing Screen sessions:

screen -S <session_name> -X at \# stuff "exec sg <new_group_name> newgrp \`id -gn\`^M"

Note the need to escape the backticks to get id to run in the Screen session, and the ^M to get Screen to hit 'enter' at the end of your command.

Note also that screen's stuff command simply types the command text on your behalf. Therefore something strange may happen if one of the screen windows has a half-written command at a command prompt or is running an application other than a shell (e.g. emacs, top). If this is an issue, I have some ideas:

To get rid of any half-written command, you can add "^C" to the start of the command.
To avoid running the command in an emacs window, etc, you could ask `at' to filter on window title etc (in the example above, I use "#", which matches all windows, but you can filter by window title, user, etc).

To run the command in a specific window (identified by window number), use the following:

screen -S <session_name> -p 0 -X stuff "exec sg <new_group_name> newgrp \`id -gn\`^M"

Patrick Conheady

Posted 2011-04-17T19:50:06.473

Reputation: 451

Using newgrp command solved problem for me:

newgrp <GroupName>

This blog post has detailed explanation.

Pavan Vegirouthu

Posted 2011-04-17T19:50:06.473

Reputation: 199

You can do this.

Add as many groups as you want using usermod -G. Then, as the user with a running session, run newgrp - with just the '-' argument.

This reinitializes the group id to the default, but it will also set the secondary groups as well. You can verify this by running groups from the current session, before and after the usermod and the newgrp.

This has to be run from each open session - I don't know much about screen. However, if it's possible to iterate over all open sessions and run newgrp, you should be good. You won't have to worry about knowing the groups or the group IDs.

Best of luck to you.

lunchmeat317

Posted 2011-04-17T19:50:06.473

Reputation: 476

2Tried on Amazon linux 2, it did not work – Cyril Duchon-Doris – 2018-03-28T14:53:19.493

2newgrp - starts a new shell process – Piotr Findeisen – 2018-04-24T13:05:01.360

In light of your comment on the answer by Mister_Tom, this is, as all of the other answers, a workaround. Mister_Tom's answer is still correct. – scravy – 2019-09-13T09:28:44.313

11tried on an xterm within an X session but it did not work – dwery – 2012-07-10T19:27:07.910

3tried in on a session in tmux and it did not work there either – Michael – 2013-02-12T03:32:16.557

Groups are usually enumerated at login, there is no way I know of to force it to re-do group enumeration without logging out and back in again.

Many answers voted up here seem to use a workaround that invokes a new shell with fresh environment (same as logging in again). the parent shell and all other continuously running programs will generally not receive the new group membership until being re-invoked from a fresh shell usually after clean logout and login.

Mister_Tom

Posted 2011-04-17T19:50:06.473

Reputation: 502

1Thank you for pointing this out, this is also my understanding. Every other answer here simply opens a new shell, no matter whether it replaces one open shell or restarts screen or whatever. There is no magical panacea to issue a command or script and have every running session, including your X session, reflect the new group memberships. – scravy – 2019-09-13T09:30:45.703

Truthfully, I'm pretty sure that this isn't true - I'd found a way to do it before on a Linux box. However, for the life of me, I cannot remember what the command was. If I find it, I'll post it. Edit: Just found it, I'm posting it as an answer. – lunchmeat317 – 2012-01-30T16:11:24.520

To summarize:

exec newgrp <newlyaddedgroupname1>
exec newgrp <newlyaddedgroupname2>
...
exec newgrp -

Using 'exec' means replace the existing shell with the new shell started by the newgrp command (so exiting from the new shell logs you out).

The final newgrp - is needed to restore your normal primary group, so files you later create will have that as their group owner.

Note: The original poster's question was how to make newly-added groups visible in existing processes. The gpasswd and usermod commands don't affect existing processes; newly-added (or deleted!) groups appear in (disappear from) your account, i.e. in the /etc/group and /etc/gshadow files, but permissions for existing processes aren't changed. To remove permissions you have to kill any running processes; newgrp - will not re-read /etc/group and reset the group list; instead, it seems to just use the groups previously associated with the process.

jimav

Posted 2011-04-17T19:50:06.473

Reputation: 51

By the way, exec su - <username> can be used to get a new login shell with groups set, but that won't work in scripts because a new shell will read commands from the terminal. You could use su -c "command ..." <myusername> to restart your script, but the resulting process has no controlling terminal and so an error will occur if a screen editor or other interactive command is attempted. – jimav – 2017-02-10T23:30:37.810

Why was this downvoted? Can someone explain what's bad about it, because it was what occurred to me and I think I like it best? – jasonmp85 – 2017-03-08T00:02:39.823

Gah, I voted it up before testing. newgrp - does not replace the "primary group". Patrick Conheady's answer is the best one here, as it neither forks nor changes the primary group. – jasonmp85 – 2017-03-08T00:30:21.913

I couldn't get the newgrp command to work. I'm not sure if this depends on /etc/sudoers, but I normally have to type my password for sudo, and this worked without requiring my password:

[leo60228@leonix:~]$ groups
users wheel

[leo60228@leonix:~]$ sudo echo hi
[sudo] password for leo60228:
hi

[leo60228@leonix:~]$ sudo -k # reset sudo timeout

[leo60228@leonix:~]$ exec sudo -i -u $(whoami) # no password necessary

[leo60228@leonix:~]$ groups
users wheel docker

leo60228

Posted 2011-04-17T19:50:06.473

Reputation: 33

I needed to do this in a shell script (script adds current user to a group, runs later commands that require that group membership). The newgrp command is brittle in that it can only run a new shell rather than an arbitrary command (I want to re-run the current shell script with original commandline args).

Here's my solution, which uses lots of bash-isms: (note the surrounding script needs some sort of branch to only run this function if the required group is not currently active):

(note: the script implies that it ran sudo adduser $user docker, which means it could also just run sudo docker everywhere instead of docker but that was undesirable in this case)

# save these for later
ORIGINAL_ARGS=("$@")

# This function is a little insane. The problem is this: user running
# this script is not a member of docker group, but used 'sudo' to add
# themselves to group. Without logging out and back in, the only way
# to gain access to that group is via the 'newgrp' command, which
# unfortunately starts a new shell rather than an arbitrary command...
#
# Also, we're going to newgrp twice: first to add the new group and
# again to restore the original group (but the new group remains in
# the 'groups' output).
#
# So this horrendous hack dups stdin to fd3 for later. Then runs
# 'newgrp' piping in a script that runs 'newgrp' a second time, piping
# in another script that restores stdin from fd3 and execs the
# original command...
restart-newgrp-newgrp() {
  # dup original stdin to fd3
  exec 3<&0

  local group="$1"
  local command="$0"
  local arg
  for arg in "${ORIGINAL_ARGS[@]}"; do
    printf -v command "%s %q" "$command" "$arg"
  done

  # restore original stdin from fd3; also replace any single-quote in
  # command with '"'"' to embed it in a single-quoted string
  local script
  printf -v script "exec newgrp %q <<<'exec <&3-; exec %s'" "$(id -gn)" "${command//\'/\'\"\'\"\'}"

  exec newgrp "$group" <<<"$script"
}

Patrick

Posted 2011-04-17T19:50:06.473

Reputation: 101

This does the trick if you have sudo and it can save you from entering your password one more time in some cases:

sudo su $USER

kqw

Posted 2011-04-17T19:50:06.473

Reputation: 1 781

I had similar issue but also for not logged-in users. Restart of nscd didn't help, but executing this command did: nscd -i group. That should instruct nscd (caching daemon) to reload the groups file.

Marki555

Posted 2011-04-17T19:50:06.473

Reputation: 903