From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.comp.sysutils.supervision.general/2660
Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail
From: Bougy Man <tj@rubyists.com>
Newsgroups: gmane.comp.sysutils.supervision.general
Subject: Re: chpst -u and supplementary groups
Date: Mon, 19 Aug 2019 17:06:58 -0500
Message-ID: <CA+cVzNX68TTNhSWA+Hwxp-7soK6G6TQAgMjpnE1dB5jsGX+ROg@mail.gmail.com>
References: <20190819120807.v4f2xe2mwjky3p2p@klumpi.ignorelist.com>
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="000000000000a8922d05907f8f07"
Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226";
	logging-data="114276"; mail-complaints-to="usenet@blaine.gmane.org"
To: supervision@list.skarnet.org
Original-X-From: supervision-return-2250-gcsg-supervision=m.gmane.org@list.skarnet.org Tue Aug 20 00:07:13 2019
Return-path: <supervision-return-2250-gcsg-supervision=m.gmane.org@list.skarnet.org>
Envelope-to: gcsg-supervision@m.gmane.org
Original-Received: from alyss.skarnet.org ([95.142.172.232])
	by blaine.gmane.org with smtp (Exim 4.89)
	(envelope-from <supervision-return-2250-gcsg-supervision=m.gmane.org@list.skarnet.org>)
	id 1hzpo0-000TWy-Vv
	for gcsg-supervision@m.gmane.org; Tue, 20 Aug 2019 00:07:13 +0200
Original-Received: (qmail 5520 invoked by uid 89); 19 Aug 2019 22:07:37 -0000
Mailing-List: contact supervision-help@list.skarnet.org; run by ezmlm
Original-Sender: <supervision@list.skarnet.org>
Precedence: bulk
List-Post: <mailto:supervision@list.skarnet.org>
List-Help: <mailto:supervision-help@list.skarnet.org>
List-Unsubscribe: <mailto:supervision-unsubscribe@list.skarnet.org>
List-Subscribe: <mailto:supervision-subscribe@list.skarnet.org>
List-Id: <supervision.list.skarnet.org>
Original-Received: (qmail 5513 invoked from network); 19 Aug 2019 22:07:37 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=rubyists-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
        bh=W+Hkn3DpY8HhdfAqbfsggX3vWKkDkAQSz5MaY+2Hv+E=;
        b=Chw0wJ/AqdfM69Uok5B6ornK4WcPTrB8R+2i5DVos5N+ZbIgmrssDFZ80xal7CVFlj
         2zZyafeJieKolXmn8GPCViLtoMIpkGS03EnQFYtd12bAY3UszFNJCaTaP3w+13nV67+a
         6qNpnHO0tzL1UWi9/LXHYOZ/9uwioBzWQ1VQV7Plo7mXVmFhLgFkWXFDPZbXNs79ar4E
         BSSWyWhhVxOit+JfAlogUHL2QQwUAuLDTtPLiT+Y4PTqbqCbK28iXWVzjlcnfFbXVNRu
         6GGfmLStfhQTjM8indcxuIpiBiIWgMA8fjsX7jVmIK3lQB5t8Nijuzy7r7Y4+VW4Wyhh
         Qmfw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to;
        bh=W+Hkn3DpY8HhdfAqbfsggX3vWKkDkAQSz5MaY+2Hv+E=;
        b=mC1e7Ua89xJmN6iLtXDlIh5FRGZpbOhkZEfKsfUa7E4+CioT6SuoTkF8P6YwxfnSKG
         7CEIThD1ylW2rNYjnWugy7+8kjfaez96YC2eR+oVKMiVUyreu2nqibVpCjBvxAY6m3yT
         3ZPfnnSHiGJunGhvht8ibDDnY7f4YPNcisCkMKLgpPRKa+gxJ3qSLJGzm8WYKfOgpGgP
         1iAf1vlI47XYYWDPQQ2Jk2QQVDex5e1CqdEhgRz8kl7mtT04HJ4Y83bxGOCBfNrKUusQ
         U4QR2nedL1svo8xr4J/aQoyQ6MUkQ0yowh6RUpas10CwMKxvqFP+yOtUKWRBcLhhbSDZ
         AQmg==
X-Gm-Message-State: APjAAAWlkZHcf5n9FZygec4sg6BO8kXdFMT5k4vCoBQX0rHzykwLk1VP
	80JYdgMulfcV47yOZLTMogw4zvVpjI/mGg/3vHgS9AXvt7FkXw==
X-Google-Smtp-Source: APXvYqxWTochMQUbdw+gCTqY4lY/rNWzkp65sdXWuw+jnZCyyRwLGSURcPU4Ym2ATMAMKI+zuakr1bi0eEG1LXxH6W0=
X-Received: by 2002:a9d:5f1a:: with SMTP id f26mr20735135oti.91.1566252428983;
 Mon, 19 Aug 2019 15:07:08 -0700 (PDT)
In-Reply-To: <20190819120807.v4f2xe2mwjky3p2p@klumpi.ignorelist.com>
Xref: news.gmane.org gmane.comp.sysutils.supervision.general:2660
Archived-At: <http://permalink.gmane.org/gmane.comp.sysutils.supervision.general/2660>

--000000000000a8922d05907f8f07
Content-Type: text/plain; charset="UTF-8"

When I need this functionality, I generally use `groups=id -G|sed -e
's/\s/:/g'` then `chpst -u myuser:$groups` for the command line. This is
almost always just for processes I want to run as my own user, so it's a
rarity.

Tj

On Mon, Aug 19, 2019 at 7:08 AM Jan Braun <janbraun@gmx.de> wrote:

> Hello list!
>
> Yesterday, I spent way too much time chasing down a permissions problem
> caused by the fact that "chpst -u acc prog..." only sets the account's
> primary group, and ignores any supplementary groups the account may be a
> member of.
>
> TFM mentions "All initial supplementary groups are removed.", but I
> failed to memorize that. (Also, what does "initial" signify here?)
>
> My inability to see the issue came from the fact that all other similar
> programs (I'm aware of) do in fact add the supplementary groups. Watch:
>
> | # chpst -u test id
> | uid=1003(test) gid=1003(test) groups=1003(test)
> | # runuser -u test id
> | uid=1003(test) gid=1003(test) groups=1003(test),4(adm)
> | # s6-setuidgid test id
> | uid=1003(test) gid=1003(test) groups=1003(test),4(adm)
> | # su - test -c id
> | uid=1003(test) gid=1003(test) groups=1003(test),4(adm)
> | # su test -c id
> | uid=1003(test) gid=1003(test) groups=1003(test),4(adm)
> | # sudo -u test id
> | uid=1003(test) gid=1003(test) groups=1003(test),4(adm)
> | #
>
> So now I'm wondering:
> What are the use cases for not applying existing supplementary groups?
> Should chpst apply them by default?
> Should chpst grow an option to (not) apply them?
>     "chpst -u acc: prog..." is still free.
> Or is everything as it's supposed to be, and people might need to munge
>     the output of "getent initgroups acc" and feed it to the -u option?
>
> I'll be happy to try to come up with a patch (even if it's still a
> fatter warning in the manpage) if people can agree here what the right
> thing to do is.
>
> regards,
>     Jan
>

--000000000000a8922d05907f8f07--