Why the Unix newgrp command exists (sort of)

September 29, 2020

Recently in the Fediverse, I read this toot:

Did you know that #Unix groups have passwords? Apparently if you set one, you then have to use newgrp to log in to that group.

I have never seen anyone use unix group passwords.

(Via @mhoye.)

There are some things to say about this, but the first thing you might wonder is why the newgrp command exists at all. The best answer is that it's mostly a Unix historical relic (or, to put it another way, a fossil).

In basically all current Unixes, processes can be in multiple groups at once, often a lot of them. However this is a feature added in BSD; it wasn't the case in the original Research Unixes, including V7, and for a long time it wasn't the case in System V either. In those Unixes, you could be listed as a member of various groups in /etc/groups, but a given process was only in one group at a time. The newgrp command was how you switched back and forth between groups.

In general, newgrp worked in the way you'd expect, given Unix. It was a setuid root program that switched itself into the new group and then exec'd into your shell (after carefully dropping its setuid powers).

(The actual behavior of newgrp in V7 is an interesting topic, but that's for another entry.)

As far as I can tell from tuhs.org, a newgrp command appears in Research Unix V6, but it doesn't seem to be in V5. You could have written one, though, as there was a setgid() system call at least as far back as V4 (and V4 may be where the idea of groups was invented). Somewhat to my surprise, the existence of group passwords also dates back to V6 Unix.

(Before I started looking into this, I would have guessed that group passwords were added somewhere in the System III/System V line of AT&T Unix, as AT&T adopted it to 'production' usage.)

PS: I'm pleased to see that OpenBSD seems to have dropped the newgrp command at some point. Linux and FreeBSD both continue to have it, and I can't imagine that Illumos, Solaris, or any other surviving commercial Unixes have gotten rid of it either.

Comments on this page:

By Robert Earl at 2020-09-29 19:59:31:

I am curious about your mention of OpenBSD dropping it. You didn't mention whether it is still necessary.

The main use of newgrp for people like me, is that if my username has been added to a new group while I am logged in, then I need to use newgrp to enable it, or else log out and log back in.

So in OpenBSD, have they rewritten the kernel so that new groups are automatically accessed, or have they simply eliminated a convenience and forced everyone to log out/in (a very great inconvenience for windowing system users.)

By Todd at 2020-09-29 21:42:57:

I wonder the same. If OpenBSD doesn't have newgrp, how do you take on newly added group permissions without logging out and back in?

One handy function of newgrp is to change one's primary group.

Say you are in groupA, groupB, and groupC, with the default primary being groupA, but you want to create some files or directories specifically accessible to C: then running "newgrp groupc" would accomplish that (instead of creating the files and then doing a chgrp). Your supplementary groups stay the same regardless of which group is primary.

By John Marshall at 2020-09-30 07:52:46:

I'm not sure that there are many other ways for ordinary users to change their primary group.

In particular, using setgid(2) to change to one of your supplementary groups is somewhat mysteriously a privileged operation.

SLURM caused us some pain a while ago when they removed their --gid option for ordinary users, which previously allowed you to select the GID that jobs should be run as. We still haven't got around to working around this by wrapping sbatch with sg(1) in the right place. (Does OpenBSD still have sg? On Linux it's the same executable as newgrp.)

Written on 29 September 2020.
« Where (and how) you limit your concurrency in Go can matter
Implementing 'and' conditions in Exim SMTP ACLs the easy way (and in Exim routers too) »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Tue Sep 29 19:39:23 2020
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.