Le 19/12/18 à 00:28, Francesco Poli a écrit :
On Tue, 18 Dec 2018 10:18:56 +0100 Laurent Bigonville wrote:
[...]
Hi,
Hello Laurent,
thanks for asking the question and suggesting an alternative to s6.
I'm not too sure why you want to use s6-setuidgid (that requires an
extra package to be installed) when you have runuser tool that exists
precisely for this reason. runuser is available in the util-linux
package for quite some times already.
The fact is that, AFAIK, runuser seems to be equivalent to su, which is
not fit to *drop* root privileges (see the [web page] cited in
the commit).
[web page]:<https://jdebp.eu/FGA/dont-abuse-su-for-dropping-privileges.html>
I can agree that su might not the correct way of doing this mainly
because the su pam service file is doing historically a lot of things.
Otoh, runuser pam service is doing the strict minimum on purpose (ie
setting the limits based on the configuration and cleaning the kernel
keyring).
And even if you think that runuser shouldn't be used, I still think that
apt-listbugs shouldn't pull s6 and what you are trying to do here can
perfectly be done in pure ruby without the call to an external program
