Why the Unix
newgrp command exists (sort of)
Recently in the Fediverse, I read this toot:
Did you know that #Unix groups have passwords? Apparently if you set one, you then have to use newgrp to log in to that group.
I have never seen anyone use unix group passwords.
There are some things to say about this, but the first thing you
might wonder is why the
newgrp command exists at all. The best
answer is that it's mostly a Unix historical relic (or, to put it
another way, a fossil).
In basically all current Unixes, processes can be in multiple groups
at once, often a lot of them. However this is a feature added in
BSD; it wasn't the case in the original Research Unixes, including
V7, and for a long time it wasn't the case in System V either. In
those Unixes, you could be listed as a member of various groups in
/etc/groups, but a given process was only in one group at a time.
newgrp command was how you switched back and forth between
newgrp worked in the way you'd expect, given Unix. It was
a setuid root program that switched itself into the new group and then
exec'd into your shell (after carefully dropping its setuid powers).
(The actual behavior of
newgrp in V7 is an interesting topic,
but that's for another entry.)
As far as I can tell from tuhs.org, a
newgrp command appears in Research Unix V6, but it doesn't seem
to be in V5. You could have written one, though, as there was a
setgid() system call at least as far back as V4 (and V4 may be
where the idea of groups was invented). Somewhat to my surprise,
the existence of group passwords also dates back to V6 Unix.
(Before I started looking into this, I would have guessed that group passwords were added somewhere in the System III/System V line of AT&T Unix, as AT&T adopted it to 'production' usage.)
PS: I'm pleased to see that OpenBSD seems to have dropped the
command at some point. Linux and FreeBSD both continue to have it, and I
can't imagine that Illumos, Solaris, or any other surviving commercial
Unixes have gotten rid of it either.