GID, current, primary, supplementary, effective and real group IDs?
You mix two different distinctions here:
- Between real and effective group ids
- Between primary and supplementary users' groups
The first distinction refers to how processes are being run. Normally, when you run a command/program, it is run with the privileges of your user. It has the real group id same as your user's primary group. This can be changed by a process in order to perform some tasks as a member of another special group. To do that, programs use the setgid
function that changes their effective group id.
The second distinction refers to users. Each user has his/her primary group. There is only one per user and is referred to as gid in the output of the id
command. Apart from that, each user can belong to a number of supplementary groups - and these are listed at the end of id
output.
[Edit] :
I agree that the manpage for id
is somewhat misleading here. It is probably because it is a stripped-down version of the description provided by the info document. To see it more clearly, run info coreutils "id invocation"
(as suggested at the end of the id
manual).
The kernel view
Conceptually, there are three sets of groups that a process is a member of. Each set is a subset of the following one.
- The single group that is the process's default group, which files created by this process will belong to.
- The set of groups that are checked when the group requires permission to open a file.
- The set of groups that a process running with extra privileges process can draw upon.
For historical reasons, these sets are respectively:
- the effective group ID (egid);
- the effective group ID plus the supplementary group IDs;
- all of the above plus the real group ID and the saved set-group-ID.
Normally, a program has a single user ID. If the executable has the setuid mode bit set, then the program has two user IDs: its effective user ID is the one that matters for file permissions, per-user limits, determining whether the process is running as root and so on. The process can switch between the effective and the real user IDs, if it doesn't need its extra privileges all the time, or if it needs to switch between two non-root users.
The same mechanism exists for group. For groups, there is an additional feature which didn't exist when the system was designed: a process can be a member of any number of groups; these are the supplementary group IDs.
The user database view
Once a user is authenticated, the login process switches to that user, just before launching the user's shell (or whatever program the user requested). Just before switching to the desired user (and losing root privileges), the login process switches to the desired groups.
In early unix versions, a process could only be in a single group. This group is the user's primary group ID, stored in the user database (typically /etc/passwd
). This group becomes the real and effective group ID of the shell or other program launched by the login process.
Nowadays, a process can be in multiple groups, so users can be in multiple groups, too. The group database (typically /etc/group
) contains a list of users for each group. These groups become supplementary group IDs for the program launched by the login process.