From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.comp.sysutils.supervision.general/2658 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: Jan Braun Newsgroups: gmane.comp.sysutils.supervision.general Subject: chpst -u and supplementary groups Date: Mon, 19 Aug 2019 14:08:07 +0200 Message-ID: <20190819120807.v4f2xe2mwjky3p2p@klumpi.ignorelist.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="kg4f7nttugmukjhi" Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="248130"; mail-complaints-to="usenet@blaine.gmane.org" User-Agent: NeoMutt/20180716 To: supervision@list.skarnet.org Original-X-From: supervision-return-2248-gcsg-supervision=m.gmane.org@list.skarnet.org Mon Aug 19 14:08:21 2019 Return-path: Envelope-to: gcsg-supervision@m.gmane.org Original-Received: from alyss.skarnet.org ([95.142.172.232]) by blaine.gmane.org with smtp (Exim 4.89) (envelope-from ) id 1hzgSQ-0012MJ-3a for gcsg-supervision@m.gmane.org; Mon, 19 Aug 2019 14:08:18 +0200 Original-Received: (qmail 24537 invoked by uid 89); 19 Aug 2019 12:08:40 -0000 Mailing-List: contact supervision-help@list.skarnet.org; run by ezmlm Original-Sender: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Original-Received: (qmail 24530 invoked from network); 19 Aug 2019 12:08:40 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1566216488; bh=xtk0irU+UIwW1O1FWRwbw1XCIVJ5al7pDgYpMx2Tpgw=; h=X-UI-Sender-Class:Date:From:To:Subject; b=NrqrIGrjSj9XMSD7byqecQfmove5dSuRmupRIvcFFnoV5tzTfF4SRB5EoIstJvZ1W HYvWsMuAQzXzASw8fo8SZY0jxBdeX0VL1vsSfNqS8xN/VNqgSQuUGSQQTjW7cPrG9A kiSL7IT+iq5/LpvAFuBokBHMyWZhksKgMQbqBXJ4= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Mail-Followup-To: supervision@list.skarnet.org Content-Disposition: inline X-GPG-Fingerprint: 1736 D50F 170B 70A6 9223 BC15 295E 703E 6D1D 2FCF X-GPG-Encryption-Welcome: always X-Provags-ID: V03:K1:YTMf2CcHpxj38vg8vGo7YN4B71WJwLcnXGSX2c/wfrOLBdTNvv8 8RvJY7dOg6+60DUxa3spOR1sn+FtfPtjqFAAblfgtnTXXt8aWsaBUmYbo7YJxf70wohiVkA Y0dBTirIZJGtTDpmKvZ2Xd9SrCDcxMJCXEkS3LDhOtyvF10yrst10LGFKVL4p1zXYFhKgqx HiYcgiqgxOREzOJ8JWpNw== X-UI-Out-Filterresults: notjunk:1;V03:K0:vpMphShLxLA=:UQunPTtQ9/Dy83caf4ypdS 3ZNTcuBI3/9Y5gYLijiEWkOGTYKVBPgmobdOysTFGAik0q7HRckkacTK2VF3SyxZHwoi0p1xf fksFp4l3YGyj9K6pBq1XsErMegj2KRswTnBZh4m/5K/6RPqiF7BKTIAaI+LAOH18NDOCjd5Ju abpiyWiIzB98cfBLbGow9oMI5wDGB1+rQSJF7wnAZ/zlMKgv0fHowo9qAO46wF1TKFFYiEpan ID63NymAqNoR/zGihQrYWhb/1tfbIoIBiODgIe8EW2qP6GV9dzIpueakfPfW2n+aoHF+P3ALz MNfDNLcovLPoPJ/wqrjzaSSxSG6aoFqXndO8qAxRDPDmwNlQpAMAABqamgoMn2EberD7pvCfm joH+X5fdFATxfLU8eCosm9FDSRKFf7ibbSyLB4maZH96Nidu3y5adOC1q9uqyiD+s6f1sNXAf yKmt4Dq929BEhuB27zfEXBKK8pEojze/ZGmDPgfGH8j0nC6nhN1utKquXs2z4BRiousgdESKM YCFsFrf8At40nLjg7aW8STIRQxs0yoLlK4UIix1azGZsRD9AilqKV3p3/AOcyzasqI1Twzu9t cqaK+wyKRqpl/PMzul1jLAUB4VPSo/ChdEpIA59A4zWmijpp610fc2fKTPoCkhNUHueBx+uF/ waFcMyQp0LV/r11NfY0B0A3cuSdVJ6/ODMy+yuACMQSAawKHdPp02uhQcW8Enx0l8L+k98XyT yIm03N+3MVotQDl/ZMx1JRbUqWr4RmHYReHZo4bUMSbmLYVkr8E2ub0rO4nseHZcOSvtK+5e Xref: news.gmane.org gmane.comp.sysutils.supervision.general:2658 Archived-At: --kg4f7nttugmukjhi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hello list! Yesterday, I spent way too much time chasing down a permissions problem caused by the fact that "chpst -u acc prog..." only sets the account's primary group, and ignores any supplementary groups the account may be a member of. TFM mentions "All initial supplementary groups are removed.", but I failed to memorize that. (Also, what does "initial" signify here?) My inability to see the issue came from the fact that all other similar programs (I'm aware of) do in fact add the supplementary groups. Watch: | # chpst -u test id | uid=1003(test) gid=1003(test) groups=1003(test) | # runuser -u test id | uid=1003(test) gid=1003(test) groups=1003(test),4(adm) | # s6-setuidgid test id | uid=1003(test) gid=1003(test) groups=1003(test),4(adm) | # su - test -c id | uid=1003(test) gid=1003(test) groups=1003(test),4(adm) | # su test -c id | uid=1003(test) gid=1003(test) groups=1003(test),4(adm) | # sudo -u test id | uid=1003(test) gid=1003(test) groups=1003(test),4(adm) | # So now I'm wondering: What are the use cases for not applying existing supplementary groups? Should chpst apply them by default? Should chpst grow an option to (not) apply them? "chpst -u acc: prog..." is still free. Or is everything as it's supposed to be, and people might need to munge the output of "getent initgroups acc" and feed it to the -u option? I'll be happy to try to come up with a patch (even if it's still a fatter warning in the manpage) if people can agree here what the right thing to do is. regards, Jan --kg4f7nttugmukjhi Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEFzbVDxcLcKaSI7wVKV5wPm0dL88FAl1akScACgkQKV5wPm0d L8/umQ/8C2lYqVcaeF/8ef/Z3LCJhUqoDvdnn1ItdyiLpRE10gnJseg1ZxTcu72b 15Xjgwsf9OPTafgix54EVd0b68+f46kHmD37DIfVFQ9ZL3yrtgJ3QKrtCqRNk2Ll NORdCbgHI0vvyG3NZSB9COxRbV9JjJPhYBtLkmB35faPJV+t2BdS9hJzIABdz2zu q0FWnshfp0pOxXEB9oijxMufWyOuOzgmtldYHDuIA1kGN8p/OOF6zuqaBduDXaGH isYr/Lu77OPauulja+p9KBMlPXdxnTBbrsv9ykBFMKah1Fp5CQ2JTRRXT8M5cIFL Nx+kh8KSVXh6Ak8A3zNPdX2sqtKvS0Uv2JnBoQD3ACWBnVyIF0Gm42FHz2Xpz0o7 ZKqGmYtWQzaeZqny95IYDVvmV5usC7/c3h4mv0Ohb//YVBwGJDuRsZHCSrBSJaRw 35Vo/v835PL3FApcoMC12y8zWBElizWNh4oLMP1Z72KAt5RP60DK1pN0pe7WU1a2 BrTTDkzI7iuwCxCNIviKJMiAOBjZcIF3CSpLYlc8DYHBK50l5cE5zAYOlrSbiCIQ bUwu32kjZldRX8oqVKexbT0Vp7bGHwXXC/fdMv7yIu4gAmiF/GdWNJFcawUgNK1p eRQM0IOF/jCOzWnYvYLaaRGEkVBzHv6J1yyhKP81s+aRWgtA8OI= =KZvX -----END PGP SIGNATURE----- --kg4f7nttugmukjhi--