also sprach Ben Finney <ben+deb...@benfinney.id.au> [2014-12-17 02:13 +0100]: > > but even if I do not pass the gid value to DaemonContext, then then > > process is unable to read this file: > > > > -rw-r----- 1 root ssl-cert 1704 Dec 16 14:08 > > /etc/ssl/private/ssl-cert-snakeoil.key > > Right, AFAIK a process that began as non-superuser has no way of adding > supplementary groups. So, a process which daemonises itself is no > exception to this.
The process starts as root and then passes the target uid/gid to DaemonContext, which drops the root privileges. To me, it seems like it's fully enforcing uid *and* gid, which is probably a desirable feature. But a uid can be a member of multiple groups, and it might also be desirable not to drop those extra groups, as in my case. > Ah, maybe you're thinking the DaemonContext should call > ‘os.initgroups’ > <URL:file:///usr/share/doc/python-doc/html/library/os.html#os.initgroups> > for the target uid and gid? Yes, I think this would do it, and I think it would be an enhancement to make this optional/configurable, e.g. via a new, optional parameter enforce_gid_set=True or preserve_user_groups=False. Thank you! -- .''`. martin f. krafft <madduck@d.o> @martinkrafft : :' : proud Debian developer `. `'` http://people.debian.org/~madduck `- Debian - when you have better things to do than fixing systems
digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)
