https://github.com/python/cpython/commit/a1cf4430ed89ec702528ef074138c407ccf89946
commit: a1cf4430ed89ec702528ef074138c407ccf89946
branch: main
author: Gregory P. Smith <[email protected]>
committer: gpshead <[email protected]>
date: 2026-04-05T11:07:07-07:00
summary:
gh-94632: document the subprocess need for extra_groups=() with user=
(GH-148129)
files:
M Doc/library/subprocess.rst
diff --git a/Doc/library/subprocess.rst b/Doc/library/subprocess.rst
index 9e261a0ca03902..fe64daa3291d67 100644
--- a/Doc/library/subprocess.rst
+++ b/Doc/library/subprocess.rst
@@ -627,6 +627,12 @@ functions.
the value in ``pw_uid`` will be used. If the value is an integer, it will
be passed verbatim. (POSIX only)
+ .. note::
+
+ Specifying *user* will not drop existing supplementary group memberships!
+ The caller must also pass ``extra_groups=()`` to reduce the group
membership
+ of the child process for security purposes.
+
.. availability:: POSIX
.. versionadded:: 3.9
_______________________________________________
Python-checkins mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3//lists/python-checkins.python.org
Member address: [email protected]
