9

I have the su executable with the following permissions:

bash-4.2# ls -la /bin/su
-rws--s--- 1 root wheel 59930 Sep 14  2012 ./su

When I am logged in as a user, not in the wheel group and try to run su, I get an error, which is correct:

bash-4.2$ su
bash: /bin/su: Permission denied

After that I add this user to wheel group from root:

bash-4.2# usermod -a -G wheel user

But for the same terminal session I still can't run su:

bash-4.2$ su
bash: /bin/su: Permission denied

For the new sessions I can run su. How to allow to run su instantly after I added the user to the appropriate group?

Joseph R.
  • 39,549
user4035
  • 1,115
  • 1
    Joseph's newgrp answer is correct - but it applies ONLY to the shell that you run it in, so if you have multiple shells running it's easy to forget which you've run newgrp in and which you haven't. It can be simpler/easier to just logout and login again. – cas Sep 19 '13 at 01:45

1 Answers1

11

Simply have the user run

newgrp wheel

This will start a new shell with the group ID changed to that of wheel. If you want to start a new shell and kill off the previous one, use

exec newgrp wheel

instead.

This is because the kernel still has the previous groupset associated with the currently running processes.

peterph
  • 30,838
Joseph R.
  • 39,549
  • How can I run in in graphical terminal emulator? When I run newgrp wheel as a user, it asks for some password. Even when I type root password, it says: Invalid password – user4035 Sep 18 '13 at 18:09
  • @user4035 Are we by any chance talking about a networked environment with an authentication mechanism like NIS/LDAP? If that's the case, it may be that the new group associations were not properly propagated to the client machine(s) yet. – Joseph R. Sep 18 '13 at 18:21
  • No, it's my local machine. I login as user, then run X Session, then start a terminal and run su there to switch to root. I tried to run "newgrp wheel", but it asks for some password: bash-4.2$ newgrp wheel Password: root password doesn't work – user4035 Sep 18 '13 at 18:29
  • @user4035 According to the man-page this will be the password of the user - not the password for root. This is logical, since this is basically the same as a new login. – Nils Sep 18 '13 at 20:57
  • @Nils but a new authentication wouldn't be required if the user account was properly added to the group. At least that's how it is on my Debian box(es). – Joseph R. Sep 18 '13 at 21:00
  • Do you authenticate with NIS/LDAP or something alike? Then there might be a caching mechanism that prevents debian from asking again. Does last show a new login after newgrp? – Nils Sep 18 '13 at 21:17
  • @Nils That was my instinct too :). The OP rejected this, however. See the second and the third comments. – Joseph R. Sep 18 '13 at 21:18
  • I am asking about YOUR setup. Having NIS/LDAP with you but not with the OP would explain it. – Nils Sep 18 '13 at 21:20
  • @Nils Sorry, my bad. Yes, I'm using NIS indeed. – Joseph R. Sep 18 '13 at 21:21
  • Yes debian has some nice SSO features. It can even allow you a login with the ssh-passphrase. In the background it will start the ssh-agent to store that phrase. If you do not know about this it seems like magic that you can use ssh without phrase just after login... – Nils Sep 18 '13 at 21:29
  • @Nils I just tried on a Debian box where I authenticate without NIS and it didn't require any password after newgrp. – Joseph R. Sep 18 '13 at 23:05
  • @Nils This user doesn't have a password. Seems, that it was asking me the password of wheel group, that I don't know. When I set the user password, it started to work. I am using Slackware 14.0 – user4035 Sep 19 '13 at 07:41
  • @user4035 That is the expected behavior according to the man-page. – Nils Sep 19 '13 at 21:20
  • 4
    Note that this answer is inaccurate since the effect of newgrp wheel is not to let "add the user to the wheel group" to take effect, the effect is that the primary GID of the user changed which is fundamentally different - e.g. newly created files will have the new GID. – Jakub Klinkovský May 26 '18 at 21:34