Cameron Nemo schrob:
> Most of these (su, sudo, runuser) go through PAM.
> su and sudo are primarily targeted at interactive use.

As a shell junkie, I don't subscribe to the viewpoint that there's a
measurable difference between "interactive use" and "scripting". ;)

> > So now I'm wondering:
> > What are the use cases for not applying existing supplementary groups?
> It requires additional fact finding by what amounts to a shim between
> the OS and the service.

That's not a use case, that's just the KISS ssoftware design principle.
But are there actually reasons for wanting to *avoid* a user's
supplementary groups, implementation issues aside?

> Use cases are questionable -- why is a login session not more suitable?

I'm sorry, I don't understand. What's a login session?

> Yeah let's not do this. A good implementation is possible, and has been done.
> 
> [...]
> 
> Nobody maintains runit, so who is taking this patch?

Dmitry Bogatov has been quite active in runit integration for Debian
during the last year or so.

This is what vexes me about the daemontools family. Apparently it's so
easy to reimplement them that people keep doing that. Instead of working
together to get one implementation polished enough to make a big unix
distro use it by default.

cheers,
    Jan