On Tue, Jul 03, 2012 at 02:51:38PM -0600, Wouter Verhelst wrote: > On Thu, Jun 28, 2012 at 04:19:17AM +0400, Dmitry V. Levin wrote: > > On Thu, Jun 28, 2012 at 01:15:52AM +0200, Wouter Verhelst wrote: > > > On Mon, Jun 25, 2012 at 03:32:55AM +0400, Dmitry V. Levin wrote: > > > > Before this change, there was no way to clear or change supplementary > > > > groups at all, which is usually required to be done along with changing > > > > UID and GID. This change introduces a new global config boolean option > > > > "setgroups" and enables it by default. When this option is set to true, > > > > - "group" option will additionally clear the list of supplementary > > > > groups; > > > > > > This is sensible, I suppose. > > > > > > > - unless "group" option is specified, "user" option will additionally > > > > change both GID and the list of supplementary groups to those defined > > > > by the given user name. > > > > > > I'm not sure about that one; I think setting a group based on an option > > > called "user" -- if there is no option "group" specified -- is going to > > > be counterintuitive. > > > > From my PoV, switching UID without switching GID and supplementary groups > > hardly has a practical sense, so it is most likely a configuration error > > rather than a conscious decision. > > That's not the experience I've had with most daemons. I also disagree > that this is useless; I've had situations where not switching the group > made some sense.
Unfortunately, in situations where nbd-server processes are running with a privileged group id and a full set of supplementary groups, these processes usually would have write access to many more files than one would like to allow them. > Additionally, this changes current behaviour, which I think is even > worse than bad defaults. > > So I'm going to NAK this, I'm afraid. Would it be acceptable to introduce the same "setgroups" option with the same semantics but not enabled by default? -- ldv
pgp4jbG7Aj6wq.pgp
Description: PGP signature
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Nbd-general mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nbd-general
