The usability issue with the previous implementation was that the secondary groups of the specified user were not set regardless of the user or group set. Additionally, setting only a user would leave the groups that root has, which would be considered a serious security issue, as a lot of things owned by root are group-readable and writable. The method used in the SetUserGroup plugin is more consistent with how Apache and nginx set user and group, namely that the secondary groups of the user are set, and the group is always set to match the user if it isn't specified.
On Mon, Apr 27, 2015 at 8:11 AM, Jan Henning Thorsen <[email protected] > wrote: > These are the issues I know of: > > * If you only specify "user", then the workers will run with the groups of > "root". > * If you specify a "group", then the workers will only run as that group > and not all the secondary groups of the user you specified. > > > On Monday, April 27, 2015 at 10:39:57 AM UTC+2, Ludwig Nussel wrote: >> >> sri schrieb: >> > TLDR: The group assignment fix in Mojolicious 5.53 did not work out, >> > and you should now be using Mojolicious::Plugin::SetUserGroup. >> > >> > Yesterday we've been made aware that the user/group assignment feature >> > of all our built-in web servers was still not working correctly. This >> >> What was the problem exactly? >> >> cu >> Ludwig >> >> -- >> (o_ Ludwig Nussel >> //\ >> V_/_ http://www.suse.de/ >> SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Jennifer >> Guild, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg) >> Maxfeldstraße 5; 90409 Nürnberg; Germany >> > -- > You received this message because you are subscribed to the Google Groups > "Mojolicious" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/mojolicious. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Mojolicious" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/mojolicious. For more options, visit https://groups.google.com/d/optout.
