
How do groups work on Linux? - deafcalculus
https://jvns.ca/blog/2017/11/20/groups/
======
ScottBurson
One of the most useful group-related tricks (introduced in BSD Unix, I
believe) is the setgid bit on a directory. If this is set, new files and
subdirectories created within the directory will have the same group as the
directory, rather than the group of the process that created them.

~~~
jaymzcampbell
I use this as a basic indicator of someone's Unix competency. Not as a
straight binary thing, but if I'm talking to someone (interviewing or maybe
debugging something) I've found that if you know about _setgid /setuid_ you
have probably been interested enough to know what you are doing.

~~~
eru
I've seen interviewers ask for the sticky bit and the difference between hard
and soft links as similar shibboleths.

~~~
dozzie
I've seen them ask how to restore execution permissions after `chmod a-x
/bin/chmod'. I usually answer to those smartasses that I my favourite way is
to run the very non-executable /bin/chmod without any file juggling. I'm yet
to meet anybody who wasn't surprised that it's possible.

~~~
pnutjam
explain?

~~~
shabble

        shabble@host:~$ cp /bin/chmod /tmp/chmoo
        shabble@host:~$ chmod 600 /tmp/chmoo
        shabble@host:~$ ll /tmp/ch*
        -rw------- 1 shabble shabble 59K Nov 21 17:15 /tmp/chmoo
        shabble@host:~$ /tmp/chmoo
        -bash: /tmp/chmoo: Permission denied
        shabble@host:~$ /lib64/ld-linux-x86-64.so.2 /tmp/chmoo
        /tmp/chmoo: missing operand
        Try '/tmp/chmoo --help' for more information.

~~~
ansible
Well, that's a new one on me. I'd just have 'cat'ted the chmod executable onto
some other executable, which keeps the permissions.

------
mason55
The book she mentions, "The Linux Programming Interface," sounds pretty
useful, but it's seven years old at this point. Does anyone know how much has
changed or if there's a new version coming any time soon? Seems like it's
worth $70 but the age has me concerned. I'm sure the basics, like the things
this article is about, haven't changed, but I bet all the stuff around cgroups
would be useful for how setgid works with a process.

~~~
joshbaptiste
Useful is an understatement of The Linux Programming Interface (TLPI), yes
seven years old but the only major thing that has probably changed is the
number of syscalls has risen, other than that, still solid for understanding
the OS primitives and interfaces that the Kernel uses to interact with user
land. On the BSD side "The Design and Implementation of the FreeBSD Operating
System (2nd Edition)" is also a great book to further one's understanding of
operating system interfaces on the BSD side.

~~~
mason55
Cool, thank you for the feedback!

------
chairmanwow
I absolutely love Julia Evan's writing. I find her articles / zines to cover
interesting and useful technical topics while remaining _extremely_ accessible
to me (especially when I was a student)! I really admire her ability to
present technical topics in plain language.

~~~
rubbsdecvik
I fully agree. Even on topics I feel I know well, she's 1) shown me something
I didn't know, and 2) shown me how a "newbie" could see the topic, making it
easier for me to help teach/mentor someone else.

~~~
agumonkey
It's pretty interesting how one can make a subject look accessible. Often the
main factor for ignorance is ceremony.

------
Asooka
Ohh, so THAT's why I have to log out and back in to have my group changes take
effect. That, along with having to start a new shell to pick up new env vars
from ~/.profile, are my two biggest annoyances with the Linux process model.
Reminds me a bit of the Windows 98 days when you had to restart to change your
IP address. I really wish someone would sit down and figure out how to
propagate group and environment changes to already running processes and
implement them.

~~~
heywire
Take a look at the command “newgrp”

~~~
gjjrfcbugxbhf
I think the op is looking for something like

addgroup && newgrp

------
tiben_
Some highlighted words do not appear using Firefox 57 on my Ubuntu 16.04.3,
like the word "julia" at the third line. It's OK with Chromium.

EDIT: Seems a Firefox related bug, i noticed this strange behavior with other
websites inc. Stack Overflow since then. Will investigate asap.

~~~
woodrowbarlow
i am also using firefox 57 on ubuntu 16.04.3 and it looks fine to me. it must
be something with your specific setup.

------
halayli
Regarding setuid, this is why when you run programs like ping(8) it doesn't
require root access to open a raw socket. ping's setuid is set so upon
execution it executes as root since ping is owned by root and then calls
setuid(getuid()) to run as the intended user.

~~~
Huggernaut
In some distributions, ping is now no longer setuid, but instead setcap with
CAP_NET_RAW to narrow down the privileges gained.

------
3ap
Also "newgrp" can be used for join "new" groups without re-login.

~~~
yjftsjthsd-h
And here I've been using `su - $ME` all this time. Thanks!

~~~
lathiat
Worth noting that it's not functionally all that different in that newgrp
spawns a new shell under the current one; aside from the - creating a login
shell anyway - but you can do that with newgrp too

------
yubiox
"dr--r--r-- 1 bork awesome 6872 Sep 24 11:09 file.txt"

This doesn't make sense.

~~~
biggerfisch
$ mkdir file.txt

$ ls -l

drwxr-xr-x 2 USER GROUP 4096 Nov 21 11:49 file.txt

$ chmod -xw file.txt

$ for i in {1..180}; do touch file.txt/long_name_$i; done

$ ls -l

dr--r--r-- 2 USER GROUP 12288 Nov 21 11:50 file.txt

File size is a bit off, but that's based on sector size and may be separately
configurable - that's a bit beyond my knowledge.

~~~
yubiox
but she says right above it:

"So, for example, if a process is owned by the julia user and julia is in the
awesome group, then the process would be allowed to read this file."

~~~
biggerfisch
I'm not sure what you aren't understanding. Directories are just a type of
file, so that's not wrong, the dir/file is owned by the `awesome` group, and
the group permissions are `r--` so the group can indeed read it.

~~~
jwilk
Or one could apply Occam's razor and admit that "d" was a typo.

~~~
biggerfisch
Of course, that's a much more likely scenario. I was attempting to show that
the line was not completely nonsensical is all.

