On Thu, Oct 11, 2018 at 09:51:34AM +0300, Aki Tuomi wrote: > > Looking at the source, I see this is handled in > > src/lib/restrict-access.c::fix_groups_list(), > > where above the call to setgroups() a gid_list2 is constructed. I > > wonder if one could > > have a config option to prevent adding all those extra groups, which > > then make the > > call to setgroups() fail > Not trivially. We would need to know which groups to drop and which not.
Looking at id output id uid=501(hwr) gid=20(staff) groups=20(staff),6(mail),12(everyone),61(localaccounts),80(admin),98(_lpadmin),500(users),701(com.apple.sharepoint.group.1),702(com.apple.sharepoint.group.2),30(_keytabusers),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),103(com.apple.access_screensharing-disabled),104(com.apple.access_ssh-disabled) it seems that all the com.apple ones can easily be dropped. What about a config list, that the admin can set with a list of gids, that can be dropped/are not added to gid_list2 ? Heiko
