From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.comp.sysutils.supervision.general/2659
Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail
From: Steve Litt <slitt@troubleshooters.com>
Newsgroups: gmane.comp.sysutils.supervision.general
Subject: Re: chpst -u and supplementary groups
Date: Mon, 19 Aug 2019 15:33:04 -0400
Message-ID: <20190819153304.66ee48f8@mydesk.domain.cxm>
References: <20190819120807.v4f2xe2mwjky3p2p@klumpi.ignorelist.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226";
	logging-data="7330"; mail-complaints-to="usenet@blaine.gmane.org"
To: supervision@list.skarnet.org
Original-X-From: supervision-return-2249-gcsg-supervision=m.gmane.org@list.skarnet.org Mon Aug 19 21:33:16 2019
Return-path: <supervision-return-2249-gcsg-supervision=m.gmane.org@list.skarnet.org>
Envelope-to: gcsg-supervision@m.gmane.org
Original-Received: from alyss.skarnet.org ([95.142.172.232])
	by blaine.gmane.org with smtp (Exim 4.89)
	(envelope-from <supervision-return-2249-gcsg-supervision=m.gmane.org@list.skarnet.org>)
	id 1hznP0-0001kc-3f
	for gcsg-supervision@m.gmane.org; Mon, 19 Aug 2019 21:33:14 +0200
Original-Received: (qmail 2832 invoked by uid 89); 19 Aug 2019 19:33:38 -0000
Mailing-List: contact supervision-help@list.skarnet.org; run by ezmlm
Original-Sender: <supervision@list.skarnet.org>
Precedence: bulk
List-Post: <mailto:supervision@list.skarnet.org>
List-Help: <mailto:supervision-help@list.skarnet.org>
List-Unsubscribe: <mailto:supervision-unsubscribe@list.skarnet.org>
List-Subscribe: <mailto:supervision-subscribe@list.skarnet.org>
List-Id: <supervision.list.skarnet.org>
Original-Received: (qmail 2825 invoked from network); 19 Aug 2019 19:33:38 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
	h=X-Originating-IP:Date:From:To:Subject:Message-ID:In-Reply-To:References:X-Mailer:MIME-Version:Content-Type:Content-Transfer-Encoding;
	s=default; d=troubleshooters.com;
	b=NcS4UDB0njxNIR85LPcdTif/zNavxIlh0dpXZV6UIiPzh0fZWxc96peK87YX41gjHUItQJclFbdn1v4Xpwc1N2taprMSS+LwICYW16LqfGfbNMrmco51QckdlnWehsN9+HCsv9TOKRcqaWyN3mtdezrMd8OPfzFhw9iqPAxTGhI=;
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/simple; d=troubleshooters.com;
	s=default; t=1566243185; bh=thWkmgxbDuFQ3+jDXRIf0ixzviw=; l=2728;
	h=X-Originating-IP:Date:From:To:Subject:Message-ID:In-Reply-To:
	 References:X-Mailer:MIME-Version:Content-Type:
	 Content-Transfer-Encoding;
	b=L4u26Xm8NT1NF9AKETP12D8ZHE35v9pannIKiXQGvv6D71ngroa54slazIOllMPRe
	 ytJpWknPC6R4v94xLiF8F+MiwQCmogtBZU79ZV1LLSGfp6P+r0ExJ8qeCovajcspCy
	 sTPVmIbjx3bNiqbwvFmfVtlbblq2ZK+9eYjm1Cbg=
X-Originating-IP: [72.188.224.222]
In-Reply-To: <20190819120807.v4f2xe2mwjky3p2p@klumpi.ignorelist.com>
X-Mailer: Claws Mail 3.17.4 (GTK+ 2.24.32; x86_64-unknown-linux-gnu)
Xref: news.gmane.org gmane.comp.sysutils.supervision.general:2659
Archived-At: <http://permalink.gmane.org/gmane.comp.sysutils.supervision.general/2659>

On Mon, 19 Aug 2019 14:08:07 +0200
Jan Braun <janbraun@gmx.de> wrote:

> Hello list!
> 
> Yesterday, I spent way too much time chasing down a permissions
> problem caused by the fact that "chpst -u acc prog..." only sets the
> account's primary group, and ignores any supplementary groups the
> account may be a member of.
> 
> TFM mentions "All initial supplementary groups are removed.", but I
> failed to memorize that. (Also, what does "initial" signify here?)
> 
> My inability to see the issue came from the fact that all other
> similar programs (I'm aware of) do in fact add the supplementary
> groups. Watch:
> 
> | # chpst -u test id
> | uid=1003(test) gid=1003(test) groups=1003(test)
> | # runuser -u test id
> | uid=1003(test) gid=1003(test) groups=1003(test),4(adm)
> | # s6-setuidgid test id
> | uid=1003(test) gid=1003(test) groups=1003(test),4(adm)
> | # su - test -c id
> | uid=1003(test) gid=1003(test) groups=1003(test),4(adm)
> | # su test -c id
> | uid=1003(test) gid=1003(test) groups=1003(test),4(adm)
> | # sudo -u test id
> | uid=1003(test) gid=1003(test) groups=1003(test),4(adm)
> | #
> 
> So now I'm wondering:
> What are the use cases for not applying existing supplementary groups?
> Should chpst apply them by default?
> Should chpst grow an option to (not) apply them?
>     "chpst -u acc: prog..." is still free.
> Or is everything as it's supposed to be, and people might need to
> munge the output of "getent initgroups acc" and feed it to the -u
> option?
> 
> I'll be happy to try to come up with a patch (even if it's still a
> fatter warning in the manpage) if people can agree here what the right
> thing to do is.
> 
> regards,
>     Jan

Thanks Jan,

I was having a similar problem,  and inspired by your post, I solved it
the following way, using Runit's chpst:

chpst  -u slitt:audio:disk   /tmp/test.sh

In the preceding, /tmp/test.sh was permissioned 750 owner root.audio,
and contained the following:

#!/bin/sh
whoami
cat /d/audio.group
cat /d/disk.group
groups
pwd

file /d/audio.group was 640 root.audio, while /d/disk.group was 640
root.disk. Both cat statements printed out the contents of the files,
proving that I was acting with both groups disk and audio. The output
of the whoami proved I was acting as user slitt.

You're obviously right that having all the groups slitt belongs to,
which include both disk and audio, would have been easier, but as you
say, it doesn't work right now, so I used this method for the time
being.

Thanks for helping me solve my problem.

SteveT

Steve Litt 
August 2019 featured book: Twenty Eight Tales of Troubleshooting
http://www.troubleshooters.com/28