12

Logging out and logging back in do not fix this problem. Rebooting does not fix this problem.

NOTE: Please do not mark this question as a duplicate, I'm aware of this question: I added a user to a group, but group permissions on files still have no effect and have tried these things multiple times.

I've added my user account to some groups using usermod -aG, however I am not able to access any resources associated with that group. I can fix this using sudo su - $USER, however this only lasts for my current terminal session.

Example terminal session:

$ id
uid=1008(erik) gid=1009(erik) groups=1009(erik)
$ echo $USER
erik
$ sudo su - $USER
[sudo] password for erik: 
$ id
uid=1008(erik) gid=1009(erik) groups=1009(erik),27(sudo),100(users),999(docker),1001(rvm)

I have to do this every time I open a terminal. Rebooting does not fix this.

Is there any way I get get all the groups assigned to me when I login?

Distro: Ubuntu 16.04 x64 User Catscrash has reported the same issue with Ubuntu 18.04

This seems to only happen when I open a terminal in my desktop. If I ssh to the machine or switch to a TTY (ctrl+alt+F2 for example), then I get the correct groups.

$ id
uid=1008(erik) gid=1009(erik) groups=1009(erik)
$ ssh localhost
erik@localhost's password: 
Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-131-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.

----------------------------------------------------------------
  Ubuntu 16.04.2 LTS                          built 2017-04-20
----------------------------------------------------------------
Last login: Thu Jul 26 09:18:38 2018 from ::1
$ id
uid=1008(erik) gid=1009(erik) groups=1009(erik),27(sudo),100(users),999(docker),1001(rvm)
$

Current using XFCE as my desktop environment. I also have KDE installed.

I've tried both possible values for starting the terminal as a login shell - neither makes any difference.

I've tried disabling apparmor via sudo systemctl disable apparmor and rebooted. After reboot, since I have docker installed, it still loads apparmor with the docker profile. So additionally I tried disabling docker: sudo systemctl disable docker and then rebooting.

After this, the output of apparmor_status is:

$ sudo apparmor_status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

so, that means it's loaded but not doing anything?

Either way, it doesn't resolve the issue. I still cannot access any resource that I should have group permissions for.

Any other ideas?

The Vermilion Wizard
  • 243
  • @steeldriver I don't think has to do with groups within docker containers - I get permission denied errors connecting to the docker service just issuing docker commands on the host until I sudo su -. It drives me nuts because I know I've gotten this to work on other machiens... – The Vermilion Wizard Jul 24 '18 at 20:27
  • @steeldriver - yeah I've seen a rise of these questions, assumed, wrongly, that it was this previous issue and was being overly dismissive. Won't make that mistake twice. – slm Jul 24 '18 at 20:28
  • @Erik - what's the distro? Just so you're aware, the groups should always get assigned to the user when they login correctly, this is def. something new and unexpected, might be a bug. – slm Jul 24 '18 at 20:30
  • 1
    @Erik can you fill in some additional details for us? assuming the initial login is GUI based, are you using the default display manager (lightdm) or something else? does this account use autologin? is any encryption used (either whole disk or home directory)? – steeldriver Jul 24 '18 at 23:17
  • AppArmor might be worth a look, in case it prevented setgroups() to work – A.B Jul 25 '18 at 00:27
  • @A.B AppArmor is running on this machine. Do you know of a way I can check if it has interfered with setgroups()? – The Vermilion Wizard Jul 25 '18 at 16:05
  • by (temporarily) disabling it, it's explained there: https://help.ubuntu.com/community/AppArmor . That's just something to check before moving on to an other lead. – A.B Jul 25 '18 at 21:03
  • @A.B tried disabling apparmor, but it doesn't seem to help. Any other ideas? – The Vermilion Wizard Jul 25 '18 at 23:06
  • Somebody made a Q/A on servfault but it was deleted ( https://serverfault.com/questions/923655/all-of-a-sudden-im-getting-permission-errors) . The symptoms were the same: no supplementary groups unless using su to itself, and also using Ubuntu 16.04. Stated that it was after an upgrade. – A.B Jul 26 '18 at 13:33
  • @Erik did you reboot after having disabled apparmor, with apparmor still disabled at next boot to retest properly? to be 100% sure it's not related – A.B Jul 26 '18 at 13:48
  • @A.B Yes, I rebooted after each change to services (updated the question with this information). – The Vermilion Wizard Jul 26 '18 at 16:04
  • A related question is https://unix.stackexchange.com/questions/457884/ . – JdeBP Jul 27 '18 at 14:04

2 Answers2

7

Update2:

This seems to be a lightdm / kwallet bug, see here: https://bugs.launchpad.net/lightdm/+bug/1781418 and here: https://bugzilla.redhat.com/show_bug.cgi?id=1581495

Commenting out

auth optional pam_kwallet.so
auth optional pam_kwallet5.so

to 

#auth optional pam_kwallet.so
#auth optional pam_kwallet5.so

in /etc/pam.d/lightdm - as suggested in the link above, solves the problem for now.

Update:

This seems to be an issue with lightdm. Switching to GDM solved the issue temporarily for me. Still don't know what's wrong with lightdm though.

I have exactly the same issue (Ubuntu 18.04). I don't have a solution yet, but I noticed, that everything is correct when I log in via ssh or a text console, but not when I open a terminal emulator on my desktop environment. Is this the same for you? Maybe it has something to do with some pam-files?

Also weird: correct would be:

uid=1000(catscrash) gid=1000(catscrash) Gruppen=1000(catscrash),4(adm),6(disk),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),132(vboxusers),136(libvirtd)

wrong is 

uid=1000(catscrash) gid=1000(catscrash) Gruppen=1000(catscrash)

now I can do

catscrash@catscrash-desktop ~ % newgrp adm
catscrash@catscrash-desktop ~ % newgrp catscrash
catscrash@catscrash-desktop ~ % id
uid=1000(catscrash) gid=1000(catscrash) Gruppen=1000(catscrash),4(adm)
catscrash@catscrash-desktop ~ % newgrp sudo
catscrash@catscrash-desktop ~ % id
uid=1000(catscrash) gid=27(sudo) Gruppen=27(sudo),4(adm),1000(catscrash)
catscrash@catscrash-desktop ~ % newgrp catscrash
catscrash@catscrash-desktop ~ % id
uid=1000(catscrash) gid=1000(catscrash) Gruppen=1000(catscrash),4(adm),27(sudo)
catscrash@catscrash-desktop ~ %

So it definitely knows about my groups, as I couldn't do that with groups I'm not in, and once I changed the primary group and back, those groups appear... weird!

I also noticed, that this only happens in KDE / plasmashell, is this the same for you? When logging in via gnome shell everything works fine.

Catscrash
  • 101
  • An interesting data point. Yes I see the same behavior; logging in from a TTY or an SSH session results in the correct groups. I have this issue in XFCE, but I also have KDE installed as well. I updated the question to include this information. – The Vermilion Wizard Jul 26 '18 at 16:03
  • Thanks for finding a solution. I commented out kwallet as you suggested and everything works as it should now. – The Vermilion Wizard Jul 27 '18 at 18:45
2

I faced this problem too, on two different machines (lightdm + plasma), both Ubuntu 18.04, both updated from 16.04

Simple solution: switched to sddm. Problem is gone, I again in proper groups:

sudo apt install sddm

or if it is already installed:

sudo dpkg-reconfigure -plow sddm

and pick sddm as default display manager (and make sure some themes are installed).

Mekk
  • 251