setgroups Command

Purpose

Resets a session's process group set.

Syntax

setgroups [ - ] [ -a GroupSet ] [ -d GroupSet ] [ -r [ Group ] ] [ GroupSet ]

Description

The setgroups command, by default, displays the user's current group set and process group set for the current shell. A user's group set is defined in the user database files. When given a flag and a GroupSet parameter, this command resets the process group set as listed by the GroupSet parameter. The GroupSet parameter is a comma-separated list of group names. The available groups are defined in the user database files.

You can also use the setgroups command to add or delete groups from the current group set. Using the -r flag, you can reset the real group ID. If you specify the Groupset parameter but no flags, the setgroups command resets all the groups and makes the first group in the list the real group. The setgroups command does not change the security characteristics of the controlling terminal.

When you run the setgroups command, the system always replaces your shell with a new one. The command replaces your shell regardless of whether the command is successful or not. For this reason, the command does not return error codes.

The setgroups -r command is identical to the newgrp command.

Flags

Item Description
-a GroupSet Adds the groups specified by the GroupSet parameter to the current session. The number of groups in the new set must not exceed NGROUPS_MAX groups, a value defined in the limits.h file. The real group ID is not changed.
-d GroupSet Removes the groups specified by the GroupSet parameter from the current session. If the real group is removed, the next group listed in the current set becomes the real group.
-r Group Resets the real group for the current process. If you do not specify a Group parameter and the current real group is not the primary group, the -r flag removes the current real group and resets the real group to the original primary group. If you specify a Group parameter, this behaves identically to the newgrp command.
- Re-initializes the group set of the session to its original login state.

Security

Access Control: This command should be a general user program. This command should be installed as a program in the trusted computing base (TCB). The command should be owned by the root user with the setuid (SUID) bit set.

Files Accessed:

Mode Files
r /etc/passwd
r /etc/group

Auditing Events:

Item Description
Event                       Information
Item Description
USER_SetGroups realgroup, groupset

Examples

  1. As user sah, you can display your current group membership and process group set, by entering:
    setgroups
    Output similar to the following appears:
    sah:
    
       user groups = staff,payroll
       process groups = staff,payroll
  2. To add the finance group to the process group of the current session, enter:

    setgroups  -a  finance

  3. To set your real group to finance, enter:
    setgroups finance,staff,payroll
    This sets finance as the real group. The staff and payroll groups make up the supplementary group list.
  4. To delete the payroll group from the current process group set, enter:

    setgroups  -d  payroll

  5. To change the process group set back to your default set, enter:

    setgroups   -

    This resets your current session to its original state just after you log in.

Files

Item Description
/usr/bin/setgroups Contains the setgroups command.
/etc/group Contains basic group attributes.
/etc/passwd Contains basic user attributes.