[LUNI] adding user to a group?

[Kelly Martin]

Ronald Petty wrote:
> If I add a user to a group, is there a way to make a process that is
> currently running under the user (when the process started was not in
> that group) use the new group info so the running process can get
> access?
> 
> file one (owned by group X)
> process one (owned by user a)
> 
> a is not in group x (assume 770 for permissions, so a cannot read x
> group files)
> 
> If I add a to group x, he should be able to read them, however if the
> process is already running it doesn't seem to let that process.
> 
> Help the blind please :)  (I know I can start a new shell and login, but
> is there another way).

There is not another way[*].  There is no kernel API for modifying the 
real or effective group list of a different process, and the API for 
modifying your own real or effective group list restricts expanding 
those lists to the superuser.  New processes (by default) inherit their 
parent's group memberships.

This is something to think about if you use groups for security: a 
revocation of an individual user's group rights will not be effective 
until the user logs out.  If you use groups for security control you 
have to remember to kill all of that user's processes after revoking a 
group membership, or risk a security breach.

Kelly

[*] Ok, it is possible, but you'd have to hack the kernel.