newgrp in a script

Nathe · January 8, 2004, 5:11am

I want to do these commands in a script:
if the user name is 'toto' then the user switch to the group toto_group and then 2 others scripts are launched.
Unfortunately, after the command 'newgrp' the 2 scripts are not launched correctly.
But if I do the same, by hand, one line per one line, it works!! Why ?? I work on with a SUNOS5.7

Thanks for your help !

jayakhanna · January 8, 2004, 6:41am

I am not getting your problem, it would be nice if you can post your code here

Regards
JK

Nathe · January 8, 2004, 7:43am

Yes, my code is:

#! /bin/csh

set PATH_CPT = `pwd`;
set PRJ = '/home/myproject/'
echo "Changement de groupe UNIX touareg"
newgrp my_project &
## creation of the ANABE_CFG directory
if !( -d $PATH_CPT/ANABE_CFG ) then
mkdir $PATH_CPT/ANABE_CFG
cd $PATH_CPT/ANABE_CFG
mkdir CALIBRE
mkdir PROJECT
else echo " $PATH_CPT/ANABE_CFG directory already exists "
endif

stconf

icfb&

Perderabo · January 8, 2004, 8:08am

The newgrp command fires up a subshell. When you run it by hand, the subshell reads the next commands. You are running newgrp in a script. The script continues to read the commands while the subshell does nothing.

You don't need newgrp anymore. It was needed when you could only be in one group at a time. Now you can be in many at a time. Type "groups" to see your list.

newgrp has been obsolete for over a decade. But this is the second question on newgrp in the past few weeks.

oombera · January 8, 2004, 9:17am

There's a good reason for that. Guess the OP didn't catch it the first time you said this command is obsolete.

Nathe · January 8, 2004, 9:24am

Yes, you said that the command is obsolete but I don't know haw to do what I want !!

To secure the account of my project we create a 'subroup'. So, everybody in the team belongs to group A but few persons belongs to group B. So that the UNIX right are not the same for everybody. If everybody can read all datas, only few persons are authorised to write on the project account. To do that, I though to use the command newgrp. When we work for the project, before launching applications, we do newgrp.

How can I do that without (or with ??) using newgrp ??!!

Thanks

Nathe

Perderabo · January 8, 2004, 10:19am

For newgrp to work, the user must be listed in the group entry. But if the user is listed in the group entry, the login program will make the user a member of the group at login time. Thus newgrp is a no-op. I just tested this on Solaris. Try it yourself:
groups
newgrp somegrp
groups
This might be useful is a user was recently added to a group, I suppose. But the user some just sign off and on again. Or exec login or something.

Or you could be using group passwords. But there is no tool to assign them. Did you write one or something? There is no equivalent of /etc/shadow for group passwords. You would be leaving the encrypted password in plain sight. The manpage for newgrp warns against using group passwords. Group passwords were deprecated over a quarter of a century ago.

Doing what you want is trivial. I can't imagine how your got it work with newgrp but arranged for it to not work without newgroup. In fact, I strongly suspect that you are finished, but don't know it.

Everyone is in groupa. A few people are in groupb. Now you do:
chgrp groupb somefile
chmod 464 somefile

Now everyone can read somefile. Those folks (and only those folks) in groupb can write it. And all the groupb people need to do is logon. Forget about newgrp. It is that simple.

Nathe · January 8, 2004, 10:39am

I see that you don't get what I want to do... sorry for my expression in english !!

My project TOTO have a primary group B and a secondary group A
My account have a primary group A and a secondary group B
My colleague C1 has a primary group A and a secondary group B
My colleague C2 has only a primary group A

When I work for TOTO I'd like to have right to write on, from my own account.
Same for my colleague C1. C2 is able to read but not write on TOTO.

For the moment, I have a script wich check if you are authorized to work on the project. If 'yes' the umask is set to 002 and I do newgrp and so on. So that each created file is AUTOMATICALLY created with the group B.

I don't have 'root' permissions. So I can not execute 'chgrp' on the account TOTO for all the files don't belong to me. My application create a lot of files/directory so it is hard to do 'chgrp' each 5 minutes and more hard to request to each user to do the same!!

I try to forget newgrp but... I can't !!

Perderabo · January 8, 2004, 11:01am

If you need help from your system administrator, get it! System admins are paid to help people like you. Still, you can probably handle this without help....

It is hard to set set the sgid bit on a directory with Solaris. But it can be symbolically.

mkdir somedir
chgrp groupb somedir
chmod g+s somedir

Now every file created in somedir will get a group of groupb.

If you can write to a directory, you really can change the group of a file in that directory:
cd somedir
cp somefile somefileNEW
rm somefile
mv somefileNEW somefile
You seem to be able to write scripts, this should be a 5 minute job.

You need to get everyone to "umask 002". Ask them to put it in their .profiles.

Nathe · January 8, 2004, 11:20am

I ask my local support but I have no reply...

I've made a script which do the copy and then the remove of directories of the project account. I works well. I just have to launch it one or two times a day.

Thanks for your help.

Perderabo · January 8, 2004, 11:34am

Notice the "chmod g+s dir" trick. Once you do that, all new files get the correct group automatically.

You should not need to rerun your script ever. You just run it once to get the old files right.

Nathe · January 8, 2004, 11:42am

Goog trick !!
Thanks !!