Why does one need to reboot Linux system for group membership changes to take effect? I mean, why is not logging out and in again sufficient. The user session manager would reread the group file and that is it. What is the problem with this approach?
Asked
Active
Viewed 78 times
1
-
https://superuser.com/q/272061/105002 – choroba Jan 13 '24 at 18:14
-
Does this answer your question? Reload a Linux user's group assignments without logging out – Giacomo1968 Jan 13 '24 at 18:27
-
"why is not logging out and in again sufficient ... What is the problem with this approach?" - Simply because that doesn't cover all the possibilities. Say the change is the removal of a user from a group. If that user is aware of the change and intentionally stays logged-in, then the "change" is deferred and ineffective. – sawdust Jan 14 '24 at 03:52
2 Answers
2
If you look at a process tree, you'll probably see that a large chunk of your (graphical) session is started indirectly, as child processes under systemd --user which acts as the session manager, and importantly, which is not part of your logon session as such – the entire manager is launched indirectly as a system service when you log in, then stopped when you log out.
More importantly, though:
There's only one instance of this manager per UID, shared across all of your sessions, so it's not enough to log out from the graphical session if you still have any other (console, ssh) sessions present; it's only stopped when the user has no more sessions at all.
In recent versions there is a deliberate delay before the manager is stopped after all sessions are gone. You might need to wait a minute before logging in again.
The same manager is often used to run actual user-level services, so it may even be configured to start on boot and never exit. If you've done
loginctl enable-lingerin the past (check/var/lib/systemd/lingerto see if you've done so), then the manager will stick around even after logout – until manually stopped withsystemctl --user exitor until you reboot.
(Note that the component typically called "session manager" is not what reads your group memberships. That's done by the process that starts the session manager – e.g. by GDM for graphical logins.)
u1686_grawity
- 452,512
1
The short answer is that you don't need to reboot to update group membership, but any processes started by that account prior to the membership change will need to be restarted.
This will include any currently open login sessions, as well as (depending on your configuration) your graphical desktop service.
immortal squish
- 236
- 1
- 4