I added a user to a group, but group permissions on files still have no effect

user2 needs to log out and back in. Group permissions work this way:

  • When you log in, your processes get to have group membership in your main group mentioned in /etc/passwd, plus all the groups where your user is mentioned in /etc/group. (More precisely, the pw_gid field in getpw(your_uid), plus all the groups of which your user is an explicit member. Beyond /etc/passwd and /etc/group, the information may come from other kinds of user databases such as NIS or LDAP.) The main group becomes the process's effective group ID and the other groups become its supplementary group IDs.
  • When a process performs an operation that requires membership in a certain group, such as accessing a file, that group must be either the effective group ID or one of the supplementary group IDs of the process.

As you can see, your change to the user's group membership only takes effect when the user logs in. For running processes, it's too late. So the user needs to log out and back in. If that's too much trouble, the user can log in to a separate session (e.g. on a different console, or with ssh localhost).

Under the hood, a process can only ever lose privileges (user IDs, group IDs, capabilities). The kernel starts the init process (the first process after boot) running as root, and every process is ultimately descended from that process¹. The login process (or sshd, or the part of your desktop manager that logs you in) is still running as root. Part of its job is to drop the root privileges and switch to the proper user and groups.

There's one single exception: executing a setuid or setgid program. That program receives additional permissions: it can choose to act under various subsets of the parent process's memberships plus the additional membership in the user or group that owns the setxid executable. In particular, a setuid root program has root permissions, hence can do everything²; this is how programs like su and sudo can do their job.

¹ There are occasionally processes that aren't derived from init (initrd, udev) but the principle is the same: start as root and lose privileges over time.
² Barring multilevel security frameworks such as SELinux.


You might need to have user2 log out and back in (or just try ssh'ing in to create a new login session). Check the output of id --groups to show the numeric group ids for a user.


sudo su $(whoami)

Essentially the same workaround as ssh localhost, but usable without having an ssh server installed.

So long as you have root . But if you've just added a new group & changed permissions, you likely do.