Linux: groups vs. groups username

linux user-accounts

Does anybody know why the linux command 

    groups

shows a different output than

    groups username

The logged in user is the same as the parameter username. Example:

    thorsten@ubuntu:~/tmp$ groups
    thorsten adm dialout cdrom plugdev lpadmin admin sambashare
    thorsten@ubuntu:~/tmp$ groups thorsten
    thorsten : thorsten adm dialout cdrom plugdev nogroup lpadmin admin sambashare

Solution 1:

When you run groups username, it looks up1 the given user in /etc/passwd and /etc/group (although it can be LDAP, NIS or something else2) and shows you all groups found.

On the other hand, when you run the groups command without any arguments, it simply lists all groups it itself belongs to3 – which is not necessarily the same as what is listed in /etc/group. (See below for an explanation.) In fact, the only lookups made to /etc/group are for translating GIDs to group names.

Each process has a set of credentials, which contains (among other things) a "real group ID" (primary GID), an "effective group ID" (EGID), and a list of "supplementary group" IDs (secondary GIDs). By default, a process inherits its credentials from its parent; however, processes running as root (UID 0) or having the CAP_SETUID capability are allowed to set arbitrary credentials.

In particular, when you log in to Linux (whether in a tty, X11, or over SSH), the login process (/bin/login, gdm, sshd) looks up your username to determine your UID, primary GID, and secondary GIDs. On a personal machine, this just means reading the appropriate lines from passwd and group files (or NIS, LDAP, etc).

Next, the login process switches4 to those credentials before starting your session, and every process you launch from now on will have the exact same UID & GIDs – the system does not check /etc/group anymore5 and will not pick up any modifications made.

In this way, the /usr/bin/groups process will belong to the same groups as you did when you logged in, not what the database says you are in.

Note: The above explanation also applies to almost all Unixes; to the Windows NT family (except UIDs and GIDs are all called "SIDs", there is no "primary group", the credentials are called the "process token", and CAP_SETUID is SeCreateTokenPrivilege or SeTcbPrivilege); and likely to most other multi-user operating systems.

1 getpwuid() and getgrouplist() are used to look up a user's groups.

2 On Linux, glibc uses /etc/nsswitch.conf to determine where to look for this information.

3groups uses getgid(), getegid() and getgroups() to obtain its own credentials.

4 setuid(), setgid(), initgroups() and related.

5 An exception, of course, is the various tools that run elevated (setuid) such as su, sudo, sg, newgrp, pkexec, and so on. This means that su $USER will spawn a shell with the updated group list.

Solution 2:

groups on its own gives the current group membership of the owner of the process. This can differ from groups <username> if the groupdb has changed since the process started or the process owner changed.

Solution 3:

Just restart the computer and both groups and groups user should give the same results.

The reason they were different was because you added yourself to a new group which you weren't a member of when you started the computer.

Related

Windows 7 File Transfer Speed over Gigabit is slow
Enable alt/ctrl + left/right on CentOS command line
MBR: How does BIOS decide if a drive is bootable or not?
What is Windows Priority and Affinity and what advatanges does it provide?
Vim - Is Capslock on?
Synchronize Internet Time in a Windows script?
Gnome: Map AltGr key to Alt
Tools to see ext2/ext3/ext4/btrfs/jfs/xfs filesystems under windows?
Color Printer: Laser vs Inkjet
Drag and drop doesn't work between host and VirtualBox on Windows 7
Using a SSD as my only drive on a laptop
Missing "eject" option on USB drives on Windows 7?