Partial answer, I don't know all the details...
We are all taught in school that each unix user belongs to to a certain
number of groups, and that is defined in /etc/passwd.
That's kinda true, but it's an oversimplification.
Each PROCESS has a user and a set of groups. Those groups are set when
login (or whoever does the login process) switch
from running as root to running as your user. At that point, it will
explicitely read /etc/passwd, set the correct groups then
switch to the final UID (which can't change groups anymore)
This is the normal process when you login, but its a convention, not
something that is enforced by the kernel.
IIUC systemd does not do that for services. Services only have a UID, a
main GID but no supplementary GIDs.
Supplementary GID must be set explicitely with SupplementaryGroups= in
[Service] They won't be read from /etc/passwd
That's my understanding, at least, someone else might know better...
HTH
Jérémy
On 15/06/2018 06:35, aleivag wrote:
hi systemd'ers , i'm sure this is known, but for the life of me i cant
seems to know why.
tldr; aparently i loose all auxiliary groups of root when i execute a unit.
i'll explain (i try this on v238).
when i'm logged in as root, and i execute `id` i get all the groups that
root belong to. but when i do the same in a systemd unit (e.g. under a
transien unit, a la systemd-run) i loose all groups. i suspect that this is
because the getgroups system call returns a different value, but for the
life of me, i don't know why or how. i'll show
on my normal bash
```
[homex ~]# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),19(log)
```
i get all the groups, but if i run it with systemd-run
```
[homex ~]# systemd-run --pty id
Running as unit: run-u207.service
Press ^] three times within 1s to disconnect TTY.
uid=0(root) gid=0(root) groups=0(root)
```
the only group i see is root, now for the semi weird part, if i execute `id
root`, i do get all the groups
```
[homex ~]# systemd-run --pty id root
Running as unit: run-u220.service
Press ^] three times within 1s to disconnect TTY.
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),19(log)
```
this is because getgroups return a diferent value if i'm in the unit or
logged in
```
[homex ~]# strace id 2>&1 | grep getgroups
getgroups(0, NULL) = 8
getgroups(8, [0, 1, 2, 3, 4, 6, 10, 19]) = 8
[homex ~]# systemd-run --pty strace id 2>&1 | grep getgroups
getgroups(0, NULL) = 0
getgroups(0, []) = 0
```
and the reson why i gett all the groups when i execute `id root`, is
because that does not ask for groups, but call libnss instead
```
[homex ~]# systemd-run --pty strace id root 2>&1 | grep getgroups
[homex ~]# systemd-run --pty strace id root 2>&1 | grep libnss
openat(AT_FDCWD, "/usr/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libnss_mymachines.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libnss_systemd.so.2", O_RDONLY|O_CLOEXEC) = 3
```
i guess i just wanna understand why this is, why this system call return
different values if i'm in bash or if i'm in a unit.
thanks guys!
Alvaro Leiva Geisse
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
SMILE <http://www.smile.eu/>
20 rue des Jardins
92600 Asnières-sur-Seine
*Jérémy ROSEN*
Architecte technique
Responsable de l'expertise Smile-ECS
email jeremy.ro...@smile.fr <mailto:jeremy.ro...@smile.fr>
phone +33141402967
url http://www.smile.eu
Twitter <https://twitter.com/GroupeSmile> Facebook
<https://www.facebook.com/smileopensource> LinkedIn
<https://www.linkedin.com/company/smile> Github
<https://github.com/Smile-SA>
Découvrez l’univers Smile, rendez-vous sur smile.eu
<http://smile.eu/?utm_source=signature&utm_medium=email&utm_campaign=signature>
eco Pour la planète, n'imprimez ce mail que si c'est nécessaire
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
