Why the Unix newgrp command exists (sort of)

September 29, 2020

Recently in the Fediverse, I read this toot:

Did you know that #Unix groups have passwords? Apparently if you set one, you then have to use newgrp to log in to that group.

I have never seen anyone use unix group passwords.

(Via @mhoye.)

There are some things to say about this, but the first thing you might wonder is why the newgrp command exists at all. The best answer is that it's mostly a Unix historical relic (or, to put it another way, a fossil).

In basically all current Unixes, processes can be in multiple groups at once, often a lot of them. However this is a feature added in BSD; it wasn't the case in the original Research Unixes, including V7, and for a long time it wasn't the case in System V either. In those Unixes, you could be listed as a member of various groups in /etc/groups, but a given process was only in one group at a time. The newgrp command was how you switched back and forth between groups.

In general, newgrp worked in the way you'd expect, given Unix. It was a setuid root program that switched itself into the new group and then exec'd into your shell (after carefully dropping its setuid powers).

(The actual behavior of newgrp in V7 is an interesting topic, but that's for another entry.)

As far as I can tell from tuhs.org, a newgrp command appears in Research Unix V6, but it doesn't seem to be in V5. You could have written one, though, as there was a setgid() system call at least as far back as V4 (and V4 may be where the idea of groups was invented). Somewhat to my surprise, the existence of group passwords also dates back to V6 Unix.

(Before I started looking into this, I would have guessed that group passwords were added somewhere in the System III/System V line of AT&T Unix, as AT&T adopted it to 'production' usage.)

PS: I'm pleased to see that OpenBSD seems to have dropped the newgrp command at some point. Linux and FreeBSD both continue to have it, and I can't imagine that Illumos, Solaris, or any other surviving commercial Unixes have gotten rid of it either.

Written on 29 September 2020.
« Where (and how) you limit your concurrency in Go can matter
Implementing 'and' conditions in Exim SMTP ACLs the easy way (and in Exim routers too) »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Tue Sep 29 19:39:23 2020
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.