Partial answer, I don't know all the details... We are all taught in school that each unix user belongs to to a certain number of groups, and that is defined in /etc/passwd. That's kinda true, but it's an oversimplification. Each PROCESS has a user and a set of groups. Those groups are set when login (or whoever does the login process) switch from running as root to running as your user. At that point, it will explicitely read /etc/passwd, set the correct groups then switch to the final UID (which can't change groups anymore) This is the normal process when you login, but its a convention, not something that is enforced by the kernel. IIUC systemd does not do that for services. Services only have a UID, a main GID but no supplementary GIDs. Supplementary GID must be set explicitely with SupplementaryGroups= in [Service] They won't be read from /etc/passwd That's my understanding, at least, someone else might know better... HTH Jérémy On 15/06/2018 06:35, aleivag wrote: > hi systemd'ers , i'm sure this is known, but for the life of me i cant > seems to know why. > > tldr; aparently i loose all auxiliary groups of root when i execute a unit. > > i'll explain (i try this on v238). > > when i'm logged in as root, and i execute `id` i get all the groups that > root belong to. but when i do the same in a systemd unit (e.g. under a > transien unit, a la systemd-run) i loose all groups. i suspect that this is > because the getgroups system call returns a different value, but for the > life of me, i don't know why or how. i'll show > > on my normal bash > > ``` > [homex ~]# id > uid=0(root) gid=0(root) > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),19(log) > ``` > > i get all the groups, but if i run it with systemd-run > > ``` > [homex ~]# systemd-run --pty id > Running as unit: run-u207.service > Press ^] three times within 1s to disconnect TTY. > uid=0(root) gid=0(root) groups=0(root) > ``` > > the only group i see is root, now for the semi weird part, if i execute `id > root`, i do get all the groups > > ``` > [homex ~]# systemd-run --pty id root > Running as unit: run-u220.service > Press ^] three times within 1s to disconnect TTY. > uid=0(root) gid=0(root) > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),19(log) > ``` > > this is because getgroups return a diferent value if i'm in the unit or > logged in > > ``` > [homex ~]# strace id 2>&1 | grep getgroups > getgroups(0, NULL) = 8 > getgroups(8, [0, 1, 2, 3, 4, 6, 10, 19]) = 8 > > [homex ~]# systemd-run --pty strace id 2>&1 | grep getgroups > getgroups(0, NULL) = 0 > getgroups(0, []) = 0 > ``` > > and the reson why i gett all the groups when i execute `id root`, is > because that does not ask for groups, but call libnss instead > > ``` > [homex ~]# systemd-run --pty strace id root 2>&1 | grep getgroups > [homex ~]# systemd-run --pty strace id root 2>&1 | grep libnss > openat(AT_FDCWD, "/usr/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3 > openat(AT_FDCWD, "/usr/lib/libnss_mymachines.so.2", O_RDONLY|O_CLOEXEC) = 3 > openat(AT_FDCWD, "/usr/lib/libnss_systemd.so.2", O_RDONLY|O_CLOEXEC) = 3 > ``` > > i guess i just wanna understand why this is, why this system call return > different values if i'm in bash or if i'm in a unit. > > thanks guys! > > Alvaro Leiva Geisse > > > > _______________________________________________ > systemd-devel mailing list > systemd-devel at lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/systemd-devel -- SMILE <http://www.smile.eu/> 20 rue des Jardins 92600 Asnières-sur-Seine *Jérémy ROSEN* Architecte technique Responsable de l'expertise Smile-ECS email jeremy.rosen at smile.fr <mailto:jeremy.rosen at smile.fr> phone +33141402967 url http://www.smile.eu Twitter <https://twitter.com/GroupeSmile> Facebook <https://www.facebook.com/smileopensource> LinkedIn <https://www.linkedin.com/company/smile> Github <https://github.com/Smile-SA> Découvrez lâ??univers Smile, rendez-vous sur smile.eu <http://smile.eu/?utm_source=signature&utm_medium=email&utm_campaign=signature> eco Pour la planète, n'imprimez ce mail que si c'est nécessaire -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20180615/743292df/attachment-0001.html>
getgroups returning a diferent result
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: getgroups returning a diferent result
- From: jeremy.rosen@xxxxxxxx (Jérémy Rosen)
- Date: Fri, 15 Jun 2018 09:59:43 +0200
- In-reply-to: <CADByNOMaF2A7mi8xj7KDy110x4pFFDxpWrCpbc93dg=UtV=gmg@mail.gmail.com>
- References: <CADByNOMaF2A7mi8xj7KDy110x4pFFDxpWrCpbc93dg=UtV=gmg@mail.gmail.com>
- Follow-Ups:
- getgroups returning a diferent result
- From: Michael Chapman
- getgroups returning a diferent result
- References:
- getgroups returning a diferent result
- From: aleivag
- getgroups returning a diferent result
- Prev by Date: Devuan ASCII 2.0.0
- Next by Date: getgroups returning a diferent result
- Previous by thread: getgroups returning a diferent result
- Next by thread: getgroups returning a diferent result
- Index(es):
 |