sg

Scan for possible queries using interactive mode

$ sg scan --interactive

$ sg run --pattern '[foo]' --rewrite '[bar]' --lang [python]

$ sg run --pattern '[useState<number>($A)]' --rewrite '[useState($A)]' --lang [typescript]

$ sg run --pattern '[Some($A)]' --rewrite '[None]' --json | jq '[.[].replacement]' | jless

sg [-] [group] [-c command | command [arguments...]]

group
    The name of the group to which the effective group ID of the executed command will be set. The user must be a member of this group. If omitted, sg will either use the user's default group (if starting a shell) or the current user's supplementary groups (when used with -c), or it may result in an error if a group context is implicitly required.

-c command
    Execute the specified command string. This is useful for passing commands with spaces, special characters, or multiple commands, ensuring they are executed as a single unit under the specified group context. If no group is specified, the command runs with the user's current supplementary groups.

command [arguments...]
    The command to be executed with the changed group ID, along with its arguments. This is an alternative to using -c. If neither a command nor -c is provided, and a group is specified, sg will attempt to start a new shell with that group.

-
    When specified as an option, it reinitializes the environment similar to a login shell. This means many environment variables (e.g., PATH, HOME, SHELL) might be cleared and re-set, affecting how the executed command behaves. It can be used alone or in conjunction with a group and/or command.

The sg (set group) command allows a user to execute a command with the effective group ID of a specified group, while retaining their original user ID and login session. This is particularly useful when a user needs to temporarily gain access to resources (e.g., files or directories) that are restricted to a particular group, without fully switching their user identity or primary group. To use sg successfully, the user must be a member of the target group, or have root privileges.

Unlike newgrp, which changes the primary group of the current shell session, sg executes a command with an additional group ID, leaving the primary group and other supplementary groups of the session unchanged. If no command is specified (and the -c option is not used), sg will attempt to start a new shell with the specified group ID as its effective group. This allows for fine-grained control over group-based permissions for specific operations.

The user must be a member of the specified group or be the root user to use sg successfully.
Only the effective group ID of the executed command is changed; the user's primary group and other supplementary groups in the current shell session remain unaffected.
Using the - option can significantly alter the environment variables, which might impact the execution of the command.
Not all shell-specific features (like shell aliases or functions) might be available in the executed command's context unless explicitly sourced or passed.

When sg executes a command, it typically inherits the environment variables of the calling shell. However, if the - option is used, the environment is reset to a 'login' state, similar to how su - operates. This can affect how the executed command behaves, especially regarding PATH, HOME, and other variables, and should be considered when troubleshooting command execution.

While sg allows for temporary group privilege, it does not grant full root access. The command executed still runs under the user's original effective user ID. This design limits its capabilities to group-specific permissions, making it a safer and more controlled alternative for granular access compared to tools like su or sudo when only specific group privileges are required.

The sg command has been a staple in Unix-like systems for managing temporary group privilege escalation without requiring a full user identity switch. Its development has focused on providing a secure and flexible way for users to access group-restricted resources within their existing login session, distinguishing it from tools that create entirely new user sessions or change the primary group permanently for a session. It is typically part of the `shadow-utils` package on many Linux distributions, which handles user and group account management.

newgrp(1), su(1), sudo(8), id(1), groups(1)