On Mon, Aug 19, 2019 at 5:08 AM Jan Braun <[email protected]> wrote: > > Hello list! > > Yesterday, I spent way too much time chasing down a permissions problem > caused by the fact that "chpst -u acc prog..." only sets the account's > primary group, and ignores any supplementary groups the account may be a > member of. > > TFM mentions "All initial supplementary groups are removed.", but I > failed to memorize that. (Also, what does "initial" signify here?) > > My inability to see the issue came from the fact that all other similar > programs (I'm aware of) do in fact add the supplementary groups. Watch: > > | # chpst -u test id > | uid=1003(test) gid=1003(test) groups=1003(test) > | # runuser -u test id > | uid=1003(test) gid=1003(test) groups=1003(test),4(adm) > | # s6-setuidgid test id > | uid=1003(test) gid=1003(test) groups=1003(test),4(adm) > | # su - test -c id > | uid=1003(test) gid=1003(test) groups=1003(test),4(adm) > | # su test -c id > | uid=1003(test) gid=1003(test) groups=1003(test),4(adm) > | # sudo -u test id > | uid=1003(test) gid=1003(test) groups=1003(test),4(adm) > | #
Most of these (su, sudo, runuser) go through PAM. su and sudo are primarily targeted at interactive use. I found another outlier, Google's minijail0: / # chpst -u cameronnemo /usr/bin/id uid=1000(cameronnemo) gid=1000(cameronnemo) grupos=1000(cameronnemo) / # minijail0 -u cameronnemo /usr/bin/id uid=1000(cameronnemo) gid=0(root) grupos=0(root) / # minijail0 -u cameronnemo -g cameronnemo /usr/bin/id uid=1000(cameronnemo) gid=1000(cameronnemo) grupos=1000(cameronnemo) > > So now I'm wondering: > What are the use cases for not applying existing supplementary groups? It requires additional fact finding by what amounts to a shim between the OS and the service. Use cases are questionable -- why is a login session not more suitable? Workarounds and other options exist, as demonstrated above. > Should chpst apply them by default? I would rather it not. > Should chpst grow an option to (not) apply them? Depends on the implementation. > "chpst -u acc: prog..." is still free. > Or is everything as it's supposed to be, and people might need to munge > the output of "getent initgroups acc" and feed it to the -u option? Yeah let's not do this. A good implementation is possible, and has been done. > I'll be happy to try to come up with a patch (even if it's still a > fatter warning in the manpage) if people can agree here what the right > thing to do is. Nobody maintains runit, so who is taking this patch? > regards, > Jan Cheers, Cameron
