Why does "logging out" of a session activate a newly added supplementary group?

Question

I asked the following question Added user supplementary group, but 'groups(1)' not showing change earlier today. Now I'd like to know why the answer works. After running

adduser user group

Why does user need to log out (I'm not even sure what that means in a context without a window manager), or why does newgrp(1) need to be invoked?

It's not that logging out that matters, but logging in. – Gilles 'SO- stop being evil' Oct 17 '13 at 21:00 — Gilles 'SO- stop being evil', Oct 17 '13 at 21:00

slm · Accepted Answer · 2013-10-17T03:31:04.053

If you take a look at the man page, credentials you'll see why child processes cannot have changes made via adduser immediately reflected in a real-time way:

excerpt

A child process created by fork(2) inherits copies of its parent's user and groups IDs. During an execve(2), a process's real user and group ID and supplementary group IDs are preserved; the effective and saved set IDs may be changed, as described in execve(2).

So what does this mean?

Logging out ends the parent process from which all your subsequent processes were forked from. Everything in your desktop etc. This original process had your groups info in it, which it populated by reading /etc/passwd & /etc/group.

Another file that plays a role in how your environment gets your groups information is /etc/nsswitch.conf. This file contains lines like this:

passwd:     files
shadow:     files
group:      files

This instructs your system to only read this information in regarding passowrds, groups, etc. from the files I just mentioned.

These lines could just as easily instruct the system to use other sources such as NIS, LDAP, etc. to acquire this information instead.

nsswitch.conf

If you take a look at the nsswitch.conf man page you'll find out how the system is able to source the contents of the various "databases" of usernames, groups, and passwords.

excerpt

FILES
       A service named SERVICE is implemented by a shared object library named 
       libnss_SERVICE.so.X that resides in /lib.

       /etc/nsswitch.conf       configuration file
       /lib/libnss_compat.so.X  implements `compat' source for glibc2
       /lib/libnss_db.so.X      implements `db' source for glibc2
       /lib/libnss_dns.so.X     implements `dns' source for glibc2
       /lib/libnss_files.so.X   implements `files' source for glibc2
       /lib/libnss_hesiod.so.X  implements `hesiod' source for glibc2
       /lib/libnss_nis.so.X     implements `nis' source for glibc2
       /lib/libnss_nisplus.so.2 implements `nisplus' source for glibc 2.1

NOTES
       Within each process that uses nsswitch.conf, the entire file is read only
       once; if the file is later changed, the process will continue using the 
       old  configuration.

If you notice this note, it's reflecting a similar situation with this file, where changes to the nsswitch.conf can not be made in a real-time fashion either.

score 1 · Answer 2 · answered Oct 17 '13 at 02:41

1

It requires it because group membership is read at login. All of that information is stored with that session and not re-read.

answered Oct 17 '13 at 02:41

kurtm

7,055

Why does "logging out" of a session activate a newly added supplementary group?

2 Answers2

So what does this mean?

nsswitch.conf