A setuid helper that adds a group to your supplementary group list
without changing your primary GID. It allows for an easy way to
temporarily elevate shell privileges, without changing the default
group ownership for things like file creation (as would be the case if
using the newgrp command directly).
This functions as a replacement for the sg + newgrp trick (refer
to my
newsubgrp
gist) that broke when Debian 13 migrated sg from shadow-utils to
util-linux (Debian bug report
#1130245). A
number of recent Debian-derived distributions have also been impacted.
It should be noted that util-linux does not provide an official sg
command at the time of writing, so Debian uses a symbolic link to
newgrp instead. There has been interest expressed from both
util-linux and Debain in getting the issue resolved, so this
work-around utility is not expected to have a long lifespan.
I'm not a C programmer by trade, so cannot guarantee this approach is secure. The binary needs to be setuid root to work, so root privilege elevation may be possible if there are bugs.
Depending on your situation, it may still be safer than, for example,
adding a risky group directly and permanently to the supplementary
group of your primary user account. eg. docker, wireguard, etc.
Let's say that you have a password protected group (eg. the docker
group in the examples that follow, configured using gpasswd docker)
and your user account's primary group is named mygroup (as reported
by the output of id -gn).
When you use sg docker to switch your primary group ID to the
docker group, and then newgrp mygroup to switch the primary GID
back, the target group of the sg command would historically remain
as a supplementary group. Shadow's sg added the group to the
supplementary list; when sg is symlinked to util-linux's newgrp
command, it does not.
Debian 13, along with other distributions based on Debian (including
at least Ubuntu 25.10) have shipped the util-linux newgrp symlink
approach. This tool provides a way to sidestep the issue on such hosts
by directly manipulating the supplementary group list.
If your system's sg command is from the shadow package, sg docker "newgrp "$(id -gn)"" will likely be a safer option to achieve the
same result — refer to the
newsubgrp
gist instead.
nsg dockerAlternatively, if using the prompt integration suggested below:
newsubgrp dockerThis adds docker to your supplementary groups and spawns a new shell
and, unlike what happens with the newgrp command, your primary GID
remains unchanged. Type exit to return to your original session
(without the extra group).
You must enter the group's password as configured via gpasswd.
Access is denied if no password is set.
makesudo make installThis installs a nsg binary to /usr/local/bin with setuid root
permissions (mode 4755).
Add the following to your ~/.bashrc after PS1 is set:
if [ -n "${NEWSUBGRP_GROUP}" ]
then
PS1="[${NEWSUBGRP_GROUP}] ${PS1}"
unset NEWSUBGRP_GROUP
fiThen create a wrapper script (e.g., ~/.local/bin/newsubgrp):
declare newsubgrp="${1}"
if [ -z "${newsubgrp}" ]
then
echo "Usage: $(basename ${0}) GROUP" 1>&2
exit 1
fi
# Check if we already have this group
if id -Gn | tr ' ' '\n' | grep -qx "${newsubgrp}"
then
echo "Already a member of ${newsubgrp}" >&2
exit 0
fi
export NEWSUBGRP_GROUP="${newsubgrp}"
exec nsg "${newsubgrp}"- The binary is setuid root. It drops privileges immediately after
calling
setgroups()andsetgid(), and verifies that the drop succeeded before execing the shell. - The binary never runs user-supplied commands as root.
- Group passwords are read from
/etc/gshadowwhen available. - Password input is read with terminal echo disabled and the buffer is zeroed before being freed.
- Compiled with
-D_FORTIFY_SOURCE=2and linked with full RELRO by default.
Public domain / CC0.