Hi,
chpst currently drops any supplementary group of given user, as stated in
runit/chpst.c:
> //usage: "Set uid and gid to USER's uid and gid, drop supplementary
> group ids,\n"
and at http://smarden.org/runit/chpst.8.html :
> All initial supplementary groups are removed.
Unfortunately chpst doesn't support specifying multiple groups manually (-u
user:group1:group2:group3) what is allowed at
http://smarden.org/runit/chpst.8.html .
So currently there seems to be no way to launch a service using "runit" tools
if the service needs multiple gids in order to have all necessary priviledges
granted. One can resort to "su" applet, but it has disadvantages, like the need
to invoke shell intermediately.
My proposal is to change the interpretation of chpst's -u option a bit:
- if there is just USER given, no GRP - the list of supplementary groups should
be applied as well, not just the primary group (this is what I would expect
from any tool told to "run something as user X")
- if there is USER:GRP given - use only gid of given group (no change in
behaviour)
--
Use supplementary groups in addition to primary group when just USER
is given to -u option (= when GRP is omitted).
--- busybox-1.25.0/runit/chpst.c~ 2016-05-26 19:42:45.0 +0200
+++ busybox-1.25.0/runit/chpst.c 2016-09-06 14:00:57.423464200 +0200
@@ -463,7 +463,8 @@
}
if (opt & OPT_u) {
- if (setgroups(1, &ugid.gid) == -1)
+ int rv = strchr(set_user, ':') ? setgroups(1, &ugid.gid) : initgroups(set_user, ugid.gid);
+ if (rv == -1)
bb_perror_msg_and_die("setgroups");
xsetgid(ugid.gid);
xsetuid(ugid.uid);
___
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox