Linux: groups vs. groups username
Does anybody know why the linux command
groups
shows a different output than
groups username
The logged in user is the same as the parameter username. Example:
thorsten@ubuntu:~/tmp$ groups
thorsten adm dialout cdrom plugdev lpadmin admin sambashare
thorsten@ubuntu:~/tmp$ groups thorsten
thorsten : thorsten adm dialout cdrom plugdev nogroup lpadmin admin sambashare
Solution 1:
When you run groups username
, it looks up1 the given user in /etc/passwd
and /etc/group
(although it can be LDAP, NIS or something else2) and shows you all groups found.
On the other hand, when you run the groups
command without any arguments, it simply lists all groups it itself belongs to3 – which is not necessarily the same as what is listed in /etc/group
. (See below for an explanation.) In fact, the only lookups made to /etc/group
are for translating GIDs to group names.
Each process has a set of credentials, which contains (among other things) a "real group ID" (primary GID), an "effective group ID" (EGID), and a list of "supplementary group" IDs (secondary GIDs). By default, a process inherits its credentials from its parent; however, processes running as root (UID 0) or having the CAP_SETUID
capability are allowed to set arbitrary credentials.
In particular, when you log in to Linux (whether in a tty, X11, or over SSH), the login process (/bin/login, gdm, sshd) looks up your username to determine your UID, primary GID, and secondary GIDs. On a personal machine, this just means reading the appropriate lines from passwd
and group
files (or NIS, LDAP, etc).
Next, the login process switches4 to those credentials before starting your session, and every process you launch from now on will have the exact same UID & GIDs – the system does not check /etc/group
anymore5 and will not pick up any modifications made.
In this way, the /usr/bin/groups
process will belong to the same groups as you did when you logged in, not what the database says you are in.
Note: The above explanation also applies to almost all Unixes; to the Windows NT family (except UIDs and GIDs are all called "SIDs", there is no "primary group", the credentials are called the "process token", and CAP_SETUID
is SeCreateTokenPrivilege or SeTcbPrivilege); and likely to most other multi-user operating systems.
1 getpwuid() and getgrouplist() are used to look up a user's groups.
2 On Linux, glibc uses /etc/nsswitch.conf
to determine where to look for this information.
3groups
uses getgid(), getegid() and getgroups() to obtain its own credentials.
4 setuid(), setgid(), initgroups() and related.
5 An exception, of course, is the various tools that run elevated (setuid) such as su
, sudo
, sg
, newgrp
, pkexec
, and so on. This means that su $USER
will spawn a shell with the updated group list.
Solution 2:
groups
on its own gives the current group membership of the owner of the process. This can differ from groups <username>
if the groupdb has changed since the process started or the process owner changed.
Solution 3:
Just restart the computer and both groups and groups user should give the same results.
The reason they were different was because you added yourself to a new group which you weren't a member of when you started the computer.