From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.comp.sysutils.supervision.general/2665 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: Jan Braun Newsgroups: gmane.comp.sysutils.supervision.general Subject: Re: chpst -u and supplementary groups Date: Wed, 21 Aug 2019 05:22:10 +0200 Message-ID: <20190821032210.x3uhqf7clohlikxv@klumpi.ignorelist.com> References: <20190819120807.v4f2xe2mwjky3p2p@klumpi.ignorelist.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="qxufzljb3rtdcvr6" Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="69540"; mail-complaints-to="usenet@blaine.gmane.org" User-Agent: NeoMutt/20180716 Cc: supervision@list.skarnet.org To: Cameron Nemo Original-X-From: supervision-return-2255-gcsg-supervision=m.gmane.org@list.skarnet.org Wed Aug 21 05:22:15 2019 Return-path: Envelope-to: gcsg-supervision@m.gmane.org Original-Received: from alyss.skarnet.org ([95.142.172.232]) by blaine.gmane.org with smtp (Exim 4.89) (envelope-from ) id 1i0HCQ-000Hxf-Q5 for gcsg-supervision@m.gmane.org; Wed, 21 Aug 2019 05:22:14 +0200 Original-Received: (qmail 1409 invoked by uid 89); 21 Aug 2019 03:22:38 -0000 Mailing-List: contact supervision-help@list.skarnet.org; run by ezmlm Original-Sender: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Original-Received: (qmail 1400 invoked from network); 21 Aug 2019 03:22:38 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1566357730; bh=DcInkJe7Ui00Gv/YUf7MRKEtNau4AnlMsas68I0kbNM=; h=X-UI-Sender-Class:Date:From:To:Cc:Subject:References:In-Reply-To; b=TPSIU1yXSUuSfL5gMGQ0cuixnkUVtGzeb83Ez3dxGrLQPHHDyrf1D0ubt0o33V9kj q812hebuvTckLPqMhbrQFGFRiwwn7dRdsMjCfFP+ZqPt5odJQqYEWZMeavDnz7rxMT sky1DPU/C0I+8N3E9hmgITXa2WdtJQ8gB7NnMoD0= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Mail-Followup-To: Cameron Nemo , supervision@list.skarnet.org Content-Disposition: inline In-Reply-To: X-GPG-Fingerprint: 1736 D50F 170B 70A6 9223 BC15 295E 703E 6D1D 2FCF X-GPG-Encryption-Welcome: always X-Provags-ID: V03:K1:91aT6GZQYgUypRqRwTb749yUXlpbdy9myMOvlZcYPqvQWcOiIjl mg6Oye6dQJR7HcIYcG4wz5ZghAA5Sh57gmtscA20JNEa2QcgAHayCJMTUEzpar1HdqcxtCT 7WYF6liBVmD1uH70YvGvRk1Eq4ojwyS2gMNbU2+9mHhcLFOh5+kjdxcE9TQhViUiRELpUA1 MXuzvsN12exo+z5aff8Wg== X-UI-Out-Filterresults: notjunk:1;V03:K0:pawPMrip0w4=:vZNePuW+CrK3V63Ga/zrB1 1sae8isXmi1v52Mn9d50PT1dexkUlhihdNINH1N48+zH1VHogj+BR4fUBen9ZYeIqBv3kxjAL /73LcAsIlk0bIZhcNhH7d2dTGzNbHuaPukIpAqtXAz1t58zSc0fmvjG8TV+3O5kunOTxd1HKV 98g4DLVW+BVwF/Wah1r6PoueNuQ0AlfGzXXkEmNXamASuIeTcMy1uqctg94trP6+ciRVjfmxw gxxec1RyDgzdK3IdLe9++afU8Hno8knDbInY5yfzwv5BLCKTNR93vHYetDZ66X5O6r8QUO0zK 2j6Wu3Fudb6CWFuy6zvGhu941uPVL6kHQDy9UM3KTLvP797gd0t4gmUrHv9mW9KFcWEwlfHKi ibhbulwnm9OmtcCvdNM9FR/67JYEcNa3F5GCrLAPpvhzkEm8zn3Ed8eJca9LID1j1G2jHz5tP VLkbpyX/Pq4IP82jKV/FLIMc/hTUkfDdNtJCVZ+XY2pixzbckHCHM5HjpzTG1qTG4SAJQROhy KmSUBlAqoEbayDrRqfDz45wu0D/kFADyUHGufpyaSFec7mACprNFGqWtMAH/2+6OznErWnguQ 8rERV9NopeITxta1PJX9htwxcZW5LOahALELDrigSXzEbJcK3VssXAoh0gFKkCnVJCp7XKNX4 YlbmWsi4uZmPOKJDtNyge7Q5hKgkGzG1Si157jyPE1MDdH52YfjIy0eg7aGW4KkNxNrWZTT1s MJ2dbdaRjoyhluNWelEaRgkZBWdowEMNjTEqrbCfuAozkxQRVWRcuUUnw6/2W54wwMvLwomh Xref: news.gmane.org gmane.comp.sysutils.supervision.general:2665 Archived-At: --qxufzljb3rtdcvr6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Cameron Nemo schrob: > Most of these (su, sudo, runuser) go through PAM. > su and sudo are primarily targeted at interactive use. As a shell junkie, I don't subscribe to the viewpoint that there's a measurable difference between "interactive use" and "scripting". ;) > > So now I'm wondering: > > What are the use cases for not applying existing supplementary groups? > It requires additional fact finding by what amounts to a shim between > the OS and the service. That's not a use case, that's just the KISS ssoftware design principle. But are there actually reasons for wanting to *avoid* a user's supplementary groups, implementation issues aside? > Use cases are questionable -- why is a login session not more suitable? I'm sorry, I don't understand. What's a login session? > Yeah let's not do this. A good implementation is possible, and has been d= one. >=20 > [...] >=20 > Nobody maintains runit, so who is taking this patch? Dmitry Bogatov has been quite active in runit integration for Debian during the last year or so. This is what vexes me about the daemontools family. Apparently it's so easy to reimplement them that people keep doing that. Instead of working together to get one implementation polished enough to make a big unix distro use it by default. cheers, Jan --qxufzljb3rtdcvr6 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEFzbVDxcLcKaSI7wVKV5wPm0dL88FAl1cuOEACgkQKV5wPm0d L89sfA/+O4DRqs99LQzczjnl7vPKHQZ7GBpv4OmgFFveZKXzckxjgTpH1FC3xvF5 eRIEA1mI3s+Ry3eWHZuyAoBtk9SB1kCAM7/eq5gg01TtyYKS2zMfPklLGeDioTzE nF5MnOFDuz8XrH//t1KKNu2rpmellh70zQ3G34XtWJU8+qOqlqfbg9d5b1L7QlKe RS3BPLuq1PvvMbQgaRMb/Y2f0QXX/Ax2+WpuOH3mK6ZAhJmkHPOhRSOWUtsaUol5 cqNunNArUO0kNReRdyFEtr/T3W/lCH5OjeLRcHZwz2vjdcsuJR1ZYVlysmqirkpI 9CywtoSiOx6/HyjeEWnxMqTkNyhCelkVbZt+KYI44sGtNJcDUG6tAgUUoy8hbNsA wfPpzox+gTfKqGPG/A6S/687HwT1ZIxWbYMMMqA2dALAsFw4Ort5av9/iuNsekB9 7jCVx+F6rXUmwQLCOiyo2MSxqkG8XODyqLQLhC0mAP3XWmi94JjuOLGf9UVBmuc2 RjGTUJPahQ3Fbo+5EKZamCF/4N99MvpMIjZWMFdTWO7DKHyraGxCDTEZjYZRuH39 H3qeDf45H2llw4zrOXH6tzJxCCuyHftEzYx7WHgMibGBY8iZUGHzvjhNSuT0wiwq PeLx1PJnANpfmhNS4dFEe3MXFR6fT+1xQP/6XZuJk8Zis6px7gg= =Cqi6 -----END PGP SIGNATURE----- --qxufzljb3rtdcvr6--