Follow-up Comment #4, bug #10384 (project coreutils):
That's an option, certainly, and if the default is to remove supplementary
groups, it's pretty safe.
Another option is to call getgroups(), but then you need to decide whether to
call it before chroot (when things like any necessary LDAP config files are
around) or after the chroot (since perhaps the chroot environment contains a
different /etc/groups file).
In general this problem doesn't arise for people who do
chroot /blah /bin/su - fred
because while su picks up the group configuration somewhere in /blah, it's
also linked against the libraries in /blah which presumably know how to handle
it.
Hence I think something like your suggestion is probably the best choice even
though some users might prefer the groups to be selected automatically.
I'm not sure about the user-interface choice of specifying group information
in two places (the rhs of --userspec and also in --groups) but I can't think
right now of a solution which is both sufficiently general and actually
better. For example, saying --userspec=user:egid,group2,group3 seems
initially reasonable but (a) doesn't allow the user to specify a configuration
where the egid is not in the supplementary group list and (b) probably isn't
supported by the parsing function you called.
Therefore I think I'm voting for your "--groups" suggestion.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?10384>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
_______________________________________________
Bug-coreutils mailing list
Bug-coreutils@gnu.org
http://lists.gnu.org/mailman/listinfo/bug-coreutils
