-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set supplementary groups by default, allow users to modify supplementary groups #68
Comments
@sersut My opinion would be to change this issue from |
That's just a semantic argument, it won't make any difference for getting it fixed. |
@lamont-granquist Indeed, sorry. I started looking at this and it seems that Process.initgroups does exactly this, i.e. setting Doing this implicitly is probably the right fix but may have unintended consequences. I will prepare a PR so we can discuss this. Matt |
Yeah looks simple enough on the surface of it... I don't think there's any downside to it either. It gives the process more rights than it initially had so there should only be use case where it does not fail and now succeeds. And its not getting any rights that it shouldn't have access to, its just getting all the rights that it has a claim to. Seems like if anyone is broken by this that it'd be an xkcd 1172. |
Affected customer in 3656 |
|
In addition to the real and effective group ID of a process, every process has a list of supplementary groups IDs. From the
credentials(7)
man page on Linux:See the related Chef bug here: https://tickets.opscode.com/browse/CHEF-3510
Programs such as
sudo
andsu
typically set the list of supplementary groups to the groups of which the EUID is a member.In C, the relevant system calls to modify the group list are
initgroups
andsetgroups
In Ruby, the group list can be modified with the Process.groups= method.
The text was updated successfully, but these errors were encountered: