Linux – Why the supplementary groups of “bash” also contains the primary group

grouplinuxprocess

Based on my understanding, when bash (or any process as long as I don't intentionally change this behavior) runs, it will have (along with other information) a list of the supplementary groups for the logged in user.

The following is the ps result for the supplementary groups of bash:

PID    COMMAND    SUPGRP
1409   bash       adm dialout cdrom plugdev lpadmin admin sambashare chris

chris is the primary group for the logged in user, so why is it listed as part of the supplementary groups?

Best Answer

initgroup(), the libc function that is typically called by login applications to set supplementary group list of the process it runs in your name does add the primary group id to that list.

If it didn't, that would be a security issue, as that would give you a way to relinquish access to that group by creating a setgid executable with one of your other groups, and execute that to lose your primary gid (that executable would have to call setgid() for the real gid to also change), which would give you access to resources that have been explicitly denied access to your primary group for instance.

Example:

$ ls -l file
-rw----r-- 1 root chazelas 7 Dec 12 15:33 file

Access has been denied to my primary gid:

$ cat file
cat: file: Permission denied

Now, let's start a shell as me where the supplementary group ids doesn't include that group to see what we could do if login didn't add that group to our supplementary group id list:

$ sudo perl -le '$( = $) =  "1000 2"; $< = $> = 1000; exec zsh'
$ ps -o rgroup,egroup,supgrp -p $$
RGROUP   EGROUP   SUPGRP
chazelas chazelas bin
$ id -a
uid=1000(chazelas) gid=1000(chazelas) groups=1000(chazelas),2(bin)

1000 is in gid, egid, but not the supplementary group list. As I'm also a member of bin, I can create a setgid bin executable:

$ cp -f /usr/bin/env .
$ chgrp bin env
$ chmod g+s env
$ ./env perl -U -le '$( = $); exec qw(/usr/bin/id -a)'
uid=1000(chazelas) gid=2(bin) groups=2(bin)

I'm using perl to call setgid() ($( = $)). And then I've lost membership of the chazelas group. So:

$ ./env perl -U -le '$( = $); exec qw(cat file)'
secret

By adding the group to the supplementary list, login makes sure you can't get out of it (as only root can change that list and it's not affected by the execution of setgid executables).

Related Solutions

Group IDs – Understanding GID, Primary, Supplementary, Effective, and Real Group IDs

You mix two different distinctions here:

Between real and effective group ids
Between primary and supplementary users' groups

The first distinction refers to how processes are being run. Normally, when you run a command/program, it is run with the privileges of your user. It has the real group id same as your user's primary group. This can be changed by a process in order to perform some tasks as a member of another special group. To do that, programs use the setgid function that changes their effective group id.

The second distinction refers to users. Each user has his/her primary group. There is only one per user and is referred to as gid in the output of the id command. Apart from that, each user can belong to a number of supplementary groups - and these are listed at the end of id output.

[Edit] :

I agree that the manpage for id is somewhat misleading here. It is probably because it is a stripped-down version of the description provided by the info document. To see it more clearly, run info coreutils "id invocation" (as suggested at the end of the id manual).

Delete non-unique group with group ID as primary group of a user

The error you're getting is a limitation of the way groupdel was written and the fact that the system is designed around numbers (IDs) and not names. As you can see in source code of groupdel, it only checks if there's a user having the GID you want to delete, as its primary group. It doesn't matter if there's another group having the same ID, but named differently.

/* [ Note: I changed the style of the source code for brevity purposes. ]
 * group_busy - check if this is any user's primary group
 *
 *      group_busy verifies that this group is not the primary group
 *      for any user.  You must remove all users before you remove
 *      the group.
 */
static void group_busy (gid_t gid)
{
        struct passwd *pwd;

        /* Nice slow linear search. */
        setpwent ();
        while ( ((pwd = getpwent ()) != NULL) && (pwd->pw_gid != gid) )
                ;
        endpwent ();

        /* If pwd isn't NULL, it stopped because the gid's matched. */
        if (pwd == (struct passwd *) 0)
                return;

        /* Can't remove the group. */
        fprintf (stderr,
                 _("%s: cannot remove the primary group of user '%s'\n"),
                 Prog, pwd->pw_name);
        exit (E_GROUP_BUSY);
}

So you either you mess with the configuration files using other tools like Perl in mtm's answer or you temporarily change the GID of that user so that group_busy doesn't fail anymore.

Best Answer

Related Solutions

Group IDs – Understanding GID, Primary, Supplementary, Effective, and Real Group IDs

Delete non-unique group with group ID as primary group of a user

Related Question