Re: chpst -u and supplementary groups

From: Laurent Bercot <ska-supervision_at_skarnet.org>
Date: Tue, 20 Aug 2019 18:21:09 +0000

>Yes. Apparently everyone re-implementing daemontools does something like
>this. So that brings me back to my original question: is there consensus
>that the historical behaviour is a bug? Or are there valid use casesĀ¹?

  I don't think the historical behaviour is a *bug*, because the
historical behaviour is documented and conforms to its documentation.
It also comes from a time when supplementary groups weren't used as
much as they are today.

  It's just that not having supplementary groups can defeat intuitive
expectations when performing a group permissions check. That does not
happen every day, but it does happen sometimes. s6-setuidgid had the
same behaviour as setuidgid until I got bitten by that very problem,
at which point I realized that "user identity" is not only uid and gid
as it is for files, but also supplementary groups, and so I added
supplementary groups support to s6-*uidgid. But it had been years
until I found it necessary.

  So, YMMV. I'd say supplementary groups support is useful and allows
the tool to better match user intuition, so it has value. But is it
*mandatory* for correctness? You decide.

--
  Laurent
Received on Tue Aug 20 2019 - 18:21:09 UTC

This archive was generated by hypermail 2.3.0 : Sun May 09 2021 - 19:44:19 UTC