From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.comp.sysutils.supervision.general/2666 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: Jan Braun Newsgroups: gmane.comp.sysutils.supervision.general Subject: Re: chpst -u and supplementary groups Date: Wed, 21 Aug 2019 05:50:41 +0200 Message-ID: <20190821035041.bhp55m5p4zjkr7wm@klumpi.ignorelist.com> References: <20190819120807.v4f2xe2mwjky3p2p@klumpi.ignorelist.com> <1222e286-60ed-4790-7aa9-6c4f78c52cd0@ntlworld.com> <20190820100433.rlioufyvxodvwkpc@klumpi.ignorelist.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="v4eeqf4yymjcohy4" Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="181729"; mail-complaints-to="usenet@blaine.gmane.org" User-Agent: NeoMutt/20180716 Cc: "supervision@list.skarnet.org" To: Laurent Bercot Original-X-From: supervision-return-2256-gcsg-supervision=m.gmane.org@list.skarnet.org Wed Aug 21 05:50:47 2019 Return-path: Envelope-to: gcsg-supervision@m.gmane.org Original-Received: from alyss.skarnet.org ([95.142.172.232]) by blaine.gmane.org with smtp (Exim 4.89) (envelope-from ) id 1i0He2-000l8u-LJ for gcsg-supervision@m.gmane.org; Wed, 21 Aug 2019 05:50:46 +0200 Original-Received: (qmail 1910 invoked by uid 89); 21 Aug 2019 03:51:09 -0000 Mailing-List: contact supervision-help@list.skarnet.org; run by ezmlm Original-Sender: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Original-Received: (qmail 1902 invoked from network); 21 Aug 2019 03:51:09 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1566359442; bh=Pd2t195knLqAE/2YKC9Jx0zzd+EawR8hb2CGSiBn9Dk=; h=X-UI-Sender-Class:Date:From:To:Cc:Subject:References:In-Reply-To; b=E9tBQhVU5W43qxLL72aLylh3Sh52rt2GYDPAv6A5LLuwJ4TkbenN3ZP/HhpdoSob4 yZNYgXFF/SERtansleIIlFHyN9k/vmHvH+eEUwGh4KFy3Cd/0vlHOPe4R+kuWltlTC PTeBj5Q+KBrRiQZEsCT7eTvKfOguY22RyxuO1uKw= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Mail-Followup-To: Laurent Bercot , "supervision@list.skarnet.org" Content-Disposition: inline In-Reply-To: X-GPG-Fingerprint: 1736 D50F 170B 70A6 9223 BC15 295E 703E 6D1D 2FCF X-GPG-Encryption-Welcome: always X-Provags-ID: V03:K1:xdkSQu4hKAln7e/DdWPb8g6YjVOx0eHcSJdTophdv9WFvIHII1Z AVumc1H0m5Mn8T3LkeV+e6CnwBzVGFqP0PNuNML8IiXSYeX8SviuCE2f06lncv7MRKGc0fO BICYhyFF8zd1sSDQuKN9CSDgRJr2MKsldGqw4Ftr1AV///iyeb3H/tOjwsHHmTTw//9IkTw mhpzkU+hSJx0i6AivAQsw== X-UI-Out-Filterresults: notjunk:1;V03:K0:pyquISGi9Z4=:fsw6rHgcN9aIZs/0ib5iFm m31nnDSpnQ1fxREzkUHA4lXXLYZvkKEcKgWxmZGco/j+cmLBvIcz3htvUJR5eKefKdMun0CCX WT4fWBCDJkUDwDjY7GFV73Xv4D3goYYEBCzeUuwxSLZ/Bk01wLOIwmU2cZfiohBpKG10wNGTw VS9FbdZatXGddm1tOwwdimo0a041Ache2wltjHOEozyskVKlBRbEnAav6eWAAnwDDdKuiwSnF 3ozRvleZoHjdOmVgM44vLm1RN1DhLe2lu8WfDheXps5OLZSo9xs7SHJ4Let6wcRS/uCjh5NXf KLxo+l91SoCIJNjPRqwYskOGTC+gDG8kdqPTdZ6FsNQGTZPeGdifVV3h5yx5vIRMFcxtKxU76 2UJCKLmOO83g+9Elwmhx3yTbmFgbzPCL3x9EAe4xoZd2xTK2r7JIwClKxWbbaD96pmsfiyVIe xq3Z+QyScjgf07EwzOz5Yj7vGxVSi4RUFK56QOA0wDKHgISwbGPgCwW50mI/JEF0ODnMzG7Ho /XcJ3GVJc1HhIxDiGjV1TVkJlQzl1O2XyBbuwDjvPf3Q8bknQ2+TYUy1gTjxdDYuFcM/9BTDT KfGpYJ8eaCQOfIxabOQLGUBVqV7TasRBIo8kRtURkghxJ5UML3D9NqciCwRgTLTs6bTbEaYkj t2EEbEDV9j8BlX1LaXMau6wKTxbXpKpRExUDUd65CEf4Wrat7++Rn1gFDMvxC8ECA6sU+ARFP AmCTPnf3m4ZCiCNIskU1oPV5ePcn8V6psCTkhg5jBsZO6qMZJVL4OF+36yvv7F5rU3nqpWg4 Xref: news.gmane.org gmane.comp.sysutils.supervision.general:2666 Archived-At: --v4eeqf4yymjcohy4 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Laurent Bercot schrob: > I don't think the historical behaviour is a *bug*, because the > historical behaviour is documented and conforms to its documentation. Well, let's say "misfeature" ;) > It also comes from a time when supplementary groups weren't used as > much as they are today. >=20 > It's just that not having supplementary groups can defeat intuitive > expectations when performing a group permissions check. That does not > happen every day, but it does happen sometimes. s6-setuidgid had the > same behaviour as setuidgid until I got bitten by that very problem, > at which point I realized that "user identity" is not only uid and gid > as it is for files, but also supplementary groups, and so I added > supplementary groups support to s6-*uidgid. But it had been years > until I found it necessary. Ok, that's the kind of answer I was hoping for, thanks. > So, YMMV. I'd say supplementary groups support is useful and allows > the tool to better match user intuition, so it has value. But is it > *mandatory* for correctness? You decide. I don't need to decide that. :) I already knew that *I* needed supplementary group support. The only question was whether I should implement it in runit's source code, or by piping the output of getent through sed, and writing "chpst -u `userid acc` prog..." in my runscripts as a matter of habit. And now the former sounds like the more reasonable course of action. I'll go have a look at the code... cheers, Jan --v4eeqf4yymjcohy4 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEFzbVDxcLcKaSI7wVKV5wPm0dL88FAl1cv5EACgkQKV5wPm0d L88b7w//Unkhv4pqSZaOHBMc6D3t8LpWdXl0IiekKtzPsLW0/qcdT7mZcZMSveKy QrhPODA1X+5vumE0HHf+G07rxsb+qEbd59UwdKsiLeohdbDZ7ftPs6Q984EKg1rq W4CMFr4FUmeJFRNCRa4hUsEKjcErVSFHNeC1lEoJ7wqhC9dogpUSj8bhM4hbOUs/ vLPIO6hiuU3BS0kQzdSc4dG3z+AfSFdBusZFrMkA6jkXwWbbgqVuu6Az6X+IhQhu bGGBeqk+2ynmjC7KOcRl+R25SsgNK0mO+cZJ7c1JdLCG/gyEtkPi3xNwuIKbSbwG k6PVhEScCqLpM4qLsdZ8uZl+7OZslwhhwhsjVZpMTjf6915wD3X+SASqAtVfJYkI T9mm4RBchATZDyQiezB4D4hv8FddN1F8bY080j4ukM7Gsgsu+UtzUgti6qwirb9L vOVKPuXfOnPPKcQrqFfv2cOHnUBQ5Vz9qmQEsALgYneefr7T+IF0ESuzoKN2aGic J7ab2rwqzyzcvVCwM8ImqDfQ13olSMUoTqkeR9eLB1CCfE1CYhvRGbVXCfpITM4y 2KdjAwpi/GPPrpg0XClVmWAE6s2gcJqYdL7TyIEjqU8MrC7wbSVJdqsHyDJzY5Wp bsZk0qHfsGzEaENNnJE/yUfXkdfvuSuXbD/4PCe39VkIjRuzWX4= =MY3l -----END PGP SIGNATURE----- --v4eeqf4yymjcohy4--