From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.comp.sysutils.supervision.general/2664 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: Cameron Nemo Newsgroups: gmane.comp.sysutils.supervision.general Subject: Re: chpst -u and supplementary groups Date: Tue, 20 Aug 2019 11:25:30 -0700 Message-ID: References: <20190819120807.v4f2xe2mwjky3p2p@klumpi.ignorelist.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="59331"; mail-complaints-to="usenet@blaine.gmane.org" To: supervision@list.skarnet.org Original-X-From: supervision-return-2254-gcsg-supervision=m.gmane.org@list.skarnet.org Tue Aug 20 20:25:43 2019 Return-path: Envelope-to: gcsg-supervision@m.gmane.org Original-Received: from alyss.skarnet.org ([95.142.172.232]) by blaine.gmane.org with smtp (Exim 4.89) (envelope-from ) id 1i08pD-000FKB-92 for gcsg-supervision@m.gmane.org; Tue, 20 Aug 2019 20:25:43 +0200 Original-Received: (qmail 22142 invoked by uid 89); 20 Aug 2019 18:26:09 -0000 Mailing-List: contact supervision-help@list.skarnet.org; run by ezmlm Original-Sender: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Original-Received: (qmail 22135 invoked from network); 20 Aug 2019 18:26:09 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=F6GYcjaJXVXD4NaHOVizK10aSrNHNGfwvui0miYZpX4=; b=fEdMEpxOVb+HotIFpWUtDhM98iYNYjvRxAYAeqxtnoau1KjDq4qxLotHfJGDBNFZfJ CF3chi0JPROzPT+Y/bRQL4RaNG3cgzEwF7wtHhX8ZdH+rPadTFO0fhJ4lyFaRJhVOQEC Wqs/5WmXVWTRQqGw1Lu8bsEHtD2OlC2FxAYZYCp39lepwKz0vjavxwhi3WuC9iwkGrmr Nzd6MOkXY1f+cEjB56EhStrzQTKmjVSp4qVbuIjoxtwF5AMmrhVpfrGuWZ3f1SzacT4S HVhRIXkJotLixo18hbpZUYDNiwInAQHWRjb8pCNpTWVKrhMwh346RAHcc4v918IyQf4C KPuw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=F6GYcjaJXVXD4NaHOVizK10aSrNHNGfwvui0miYZpX4=; b=GmxiFjfcTpaqpbD0rJV1BdqSboTTLDuz3IkzcNLU7DrOXlYMQmkpwc4NyKjnA/Ajc4 n0z2RuFxvw7Alf7IMBXO67RJW0v3dYibX/7HlRpjtbz5dCnykwR2f9+kzEs8bYZVIiHu BegtZK+LQ1zxlybE2NlYFjIrQvSN4Iw/6EfmQnrDgYW5bT/uHiEta0bhizGkf60rZVDR DWatKHxINzVbvGRy3Sjks2ae5saKvB4qtsH3DtdCJbepVF/JSF8QZ9rq3MCRt5pbtoqc 85IJFQoqvPaNRZJBPVsCCvZwke6ZUG3NmB1DxHClwTNRj7oivXrBXapTFtidfCoDbajU 6Diw== X-Gm-Message-State: APjAAAVR93al4E3IAKFYeY7o6uWR/ftG8J5gwWz3fENbBXJr3jb0vb1t J5bgeD1YM2iQRnxAS8GG8KuudZHVobT92Uuib6/pLE2G X-Google-Smtp-Source: APXvYqwu6Gz+2Wy4XEYX822R3/LwpSRw0YxAAELqWd3TEIDXyAm+nZp2UvS0cQP/V/Uv+29Cjr3tlOIF1WXh4sAXwi0= X-Received: by 2002:a37:a851:: with SMTP id r78mr28157007qke.120.1566325541356; Tue, 20 Aug 2019 11:25:41 -0700 (PDT) In-Reply-To: <20190819120807.v4f2xe2mwjky3p2p@klumpi.ignorelist.com> Xref: news.gmane.org gmane.comp.sysutils.supervision.general:2664 Archived-At: On Mon, Aug 19, 2019 at 5:08 AM Jan Braun wrote: > > Hello list! > > Yesterday, I spent way too much time chasing down a permissions problem > caused by the fact that "chpst -u acc prog..." only sets the account's > primary group, and ignores any supplementary groups the account may be a > member of. > > TFM mentions "All initial supplementary groups are removed.", but I > failed to memorize that. (Also, what does "initial" signify here?) > > My inability to see the issue came from the fact that all other similar > programs (I'm aware of) do in fact add the supplementary groups. Watch: > > | # chpst -u test id > | uid=1003(test) gid=1003(test) groups=1003(test) > | # runuser -u test id > | uid=1003(test) gid=1003(test) groups=1003(test),4(adm) > | # s6-setuidgid test id > | uid=1003(test) gid=1003(test) groups=1003(test),4(adm) > | # su - test -c id > | uid=1003(test) gid=1003(test) groups=1003(test),4(adm) > | # su test -c id > | uid=1003(test) gid=1003(test) groups=1003(test),4(adm) > | # sudo -u test id > | uid=1003(test) gid=1003(test) groups=1003(test),4(adm) > | # Most of these (su, sudo, runuser) go through PAM. su and sudo are primarily targeted at interactive use. I found another outlier, Google's minijail0: / # chpst -u cameronnemo /usr/bin/id uid=1000(cameronnemo) gid=1000(cameronnemo) grupos=1000(cameronnemo) / # minijail0 -u cameronnemo /usr/bin/id uid=1000(cameronnemo) gid=0(root) grupos=0(root) / # minijail0 -u cameronnemo -g cameronnemo /usr/bin/id uid=1000(cameronnemo) gid=1000(cameronnemo) grupos=1000(cameronnemo) > > So now I'm wondering: > What are the use cases for not applying existing supplementary groups? It requires additional fact finding by what amounts to a shim between the OS and the service. Use cases are questionable -- why is a login session not more suitable? Workarounds and other options exist, as demonstrated above. > Should chpst apply them by default? I would rather it not. > Should chpst grow an option to (not) apply them? Depends on the implementation. > "chpst -u acc: prog..." is still free. > Or is everything as it's supposed to be, and people might need to munge > the output of "getent initgroups acc" and feed it to the -u option? Yeah let's not do this. A good implementation is possible, and has been done. > I'll be happy to try to come up with a patch (even if it's still a > fatter warning in the manpage) if people can agree here what the right > thing to do is. Nobody maintains runit, so who is taking this patch? > regards, > Jan Cheers, Cameron