Skip to content

Instantly share code, notes, and snippets.

@boltronics

boltronics/newsubgrp

Created January 11, 2022 03:28
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save boltronics/5cf521b53d37112fe7eb8ed7e15c0b44 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save boltronics/5cf521b53d37112fe7eb8ed7e15c0b44 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
newsubgrp
#!/bin/bash
# Add supplementary group permissions and update the shell prompt.
# Requires adding the following to .bashrc after PS1 has been set:
# if [ -n "${PS1_PREFIX}" ]
# then
# export PS1="${PS1_PREFIX}${PS1}"
# unset PS1_PREFIX
# fi
declare newsubgrp="${1}"
if [ -z "${newsubgrp}" ]
then
echo "Usage: $(basename ${0}) GROUP" 1>&2
exit 1
fi
if ! groups | cut -d ' ' -f 2- | grep -q "${newsubgrp}"
then
export NEWSUBGRP_OLDPS1="${PS1}" PS1_PREFIX="[${newsubgrp}] "
sg "${newsubgrp}" "newgrp "$(id -gn)""
PS1="${NEWSUBGRP_OLDPS1}"
unset PS1_PREFIX NEWSUBGRP_OLDPS1 newsubgrp
fi
@boltronics
Copy link
Author

boltronics commented Jan 11, 2022

Works like newgrp except adds a user to a subgroup so the user's GID is left untouched.
Usage example:

$ id
uid=1000(boltron) gid=1000(boltron) groups=1000(boltron),50(games)
$ newsubgrp docker
Password: 
[docker] $ id
uid=1000(boltron) gid=1000(boltron) groups=1000(boltron),50(games),963(docker)
[docker] $ 
exit
$ id
uid=1000(boltron) gid=1000(boltron) groups=1000(boltron),50(games)
$

@boltronics
Copy link
Author

boltronics commented Mar 6, 2026

Starting from Debian 13, Debian has replaced the login package from shadow with the utilities from util-linux (Debian bug report #833256).

In the case of either implementation, the output of the id command after calling sg <somegroup> will list the group in both the gid= value, as well as in the supplementary groups= list. However only shadow's sg implementation will seemingly tell the truth about what it's told the kernel.

Debian 12:

abolte@debian12:~$ getent group docker
docker:x:109:
abolte@debian12:~$ id
uid=1000(abolte) gid=1000(abolte) groups=1000(abolte),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev)
abolte@debian12:~$ sg docker
Password: 
abolte@debian12:~$ id
uid=1000(abolte) gid=109(docker) groups=109(docker),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev),1000(abolte)
abolte@debian12:~$ grep 109 /proc/self/status
Gid:	109	109	109	109
Groups:	24 25 27 29 30 44 46 100 106 109 1000 
abolte@debian12:~$ dpkg -S "$(which sg)"
login: /usr/bin/sg
abolte@debian12:~$ apt-cache show login | grep ^Homepage
Homepage: https://github.com/shadow-maint/shadow
abolte@debian12:~$

Debian 13:

abolte@debian13:~$ getent group docker
docker:x:103:
abolte@debian13:~$ id
uid=1000(abolte) gid=1000(abolte) groups=1000(abolte),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),100(users),101(netdev)
abolte@debian13:~$ sg docker
Password: 
abolte@debian13:~$ id
uid=1000(abolte) gid=103(docker) groups=103(docker),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),100(users),101(netdev),1000(abolte)
abolte@debian13:~$ grep 103 /proc/self/status
Gid:	103	103	103	103
abolte@debian13:~$ dpkg -S "$(which sg)"
login: /usr/bin/sg
abolte@debian13:~$ apt-cache show login | grep ^Homepage
Homepage: https://github.com/util-linux/util-linux
abolte@debian13:~$

In Debian 12, the supplementary group Groups: line of /proc/self/status shows the ID of the group that was added. yet it does not appear there in Debian 13. As you might surmise, this prevents newsubgrp from working.

Fortunately, Arch continues to use shadow at the time of writing, and that's what I use these days. It's why it took me this long to notice the issue.

@boltronics
Copy link
Author

boltronics commented Mar 6, 2026

Issue report opened. util-linux/util-linux#4098

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment