tech-userlevel: Re: bin/11047: newgrp is missing

Subject: Re: bin/11047: newgrp is missing
To: None <rmk@rmkhome.com>
From: Greg A. Woods <woods@weird.com>
List: tech-userlevel
Date: 04/28/2002 14:07:12
[ On Saturday, April 27, 2002 at 14:37:44 (-0600), Rick Kelly wrote: ]
> Subject: Re: bin/11047: newgrp is missing
>
> Greg A. Woods said:
> 
> >No, not on any AT&T UNIX System V Release 4.0 or newer (or SunOS-5.x).
> >
> >Those systems all support setgroups(2) and so far as I've ever seen the
> >login program on all derrivatives of those systems always calls
> >setgroups() when you login making your session have the privileges of
> >all the groups you are a member of at that time (up to the maximum
> >number allowed by the kernel, NGROUPS_MAX, of course).
> 
> That's not what I see here on my network on Solaris 2.6 and Solaris 8.
> 
> rattler> id -a
> uid=1001(rmk) gid=10(staff) groups=10(staff),777(foo)
> rattler> ls -l hello
> -rw-r-x---   1 root      foo         5924 Apr 26 16:53 hello
> rattler> ./hello
> ksh: ./hello: cannot execute
> rattler> /usr/bin/newgrp foo
> $ id -a
> uid=1001(rmk) gid=777(foo) groups=10(staff),777(foo)
> $ ./hello
> hello,world

Hmmm.... that doesn't correspond to behaviour I've observed in the past,
(I currently don't have any supplementary group access on an easily
accessible SunOS-5.6 or newer box, or do I have root on any of them to
test again right now, but I have successfully used this feature in the
past and I'm sure there have been many reports of success from Solaris
users on the info-cvs mailing list too).

It also doesn't agree with the documentation.  From SunOS-5.6 intro(2):

  File Access Permissions
     Read, write, and execute/search permissions on  a  file  are
     granted  to  a  process  if one or more of the following are
     true:

          The effective user ID of the process is super-user.

          The effective user ID of the process matches  the  user
          ID  of the owner of the file and the appropriate access
          bit of the "owner" portion (0700) of the file  mode  is
          set.

          The effective user ID of the process does not match the
          user ID of the owner of the file, but either the effec-
          tive group ID or one of the supplementary group IDs  of
          the  process  match  the  group  ID of the file and the
          appropriate access bit of the "group" portion (0070) of
          the file mode is set.

          The effective user ID of the process does not match the
          user  ID  of  the  owner  of  the file, and neither the
          effective group ID nor any of the  supplementary  group
          IDs  of the process match the group ID of the file, but
          the appropriate  access  bit  of  the  "other"  portion
          (0007) of the file mode is set.

     Otherwise, the corresponding permissions are denied.

> Also, ksh and sh have their own wierd builtin newgrp.

There's nothing weird about it.  Unless you wish to start a sub-shell
the only correct way to use an external 'newgrp' (or 'login') program is
to exec it.  The built-in saves you the trouble of forgetting the 'exec'.

RTFM:

       newgrp [arg ...]
              Equivalent to `exec newgrp arg ...'.

One of my first complaints against csh long long ago was it didn't have
a 'newgrp' builtin....  :-)


-- 
								Greg A. Woods

+1 416 218-0098;  <gwoods@acm.org>;  <g.a.woods@ieee.org>;  <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>