[PATCH] chpst/setuidgid doesn't support multiple/supplementary groups

Deweloper deweloper at wp.pl
Tue Sep 6 18:59:52 UTC 2016


Hi,

chpst currently drops any supplementary group of given user, as stated in runit/chpst.c:
> //usage:       "Set uid and gid to USER's uid and gid, drop supplementary group ids,\n"
and at http://smarden.org/runit/chpst.8.html :
> All initial supplementary groups are removed.

Unfortunately chpst doesn't support specifying multiple groups manually (-u user:group1:group2:group3) what is allowed at http://smarden.org/runit/chpst.8.html .

So currently there seems to be no way to launch a service using "runit" tools if the service needs multiple gids in order to have all necessary priviledges granted. One can resort to "su" applet, but it has disadvantages, like the need to invoke shell intermediately.

My proposal is to change the interpretation of chpst's -u option a bit:
- if there is just USER given, no GRP - the list of supplementary groups should be applied as well, not just the primary group (this is what I would expect from any tool told to "run something as user X")
- if there is USER:GRP given - use only gid of given group (no change in behaviour)

-- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: busybox_chpst_support_supplementary_groups.patch
Type: text/x-patch
Size: 536 bytes
Desc: not available
URL: <http://lists.busybox.net/pipermail/busybox/attachments/20160906/926d41b5/attachment.bin>


More information about the busybox mailing list