getgroups returning a diferent result

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Do, 14.06.18 21:35, aleivag (aleivag at gmail.com) wrote:

> hi systemd'ers , i'm sure this is known, but for the life of me i cant
> seems to know why.
> 
> tldr; aparently i loose all auxiliary groups of root when i execute a unit.
> 
> i'll explain (i try this on v238).
> 
> when i'm logged in as root, and i execute `id` i get all the groups that
> root belong to. but when i do the same in a systemd unit (e.g. under a
> transien unit, a la systemd-run) i loose all groups. i suspect that this is
> because the getgroups system call returns a different value, but for the
> life of me, i don't know why or how. i'll show

So as you already found out we hardcode the user db entries for two
users in systemd: the root user and the nobody user. We do this as a
safety precaution. Doing user db lookups through NSS frequently means
doing IPC to some service of some form, and if we are the service
manager, and do such NSS calls potentially triggering service
activation, then there's a major risk of deadlocking. Hence, we
special case these two users, and shortcut the lookups internally.

This is normally not a problem, as these users are defined very
stably. However, if local systems deviate, for example by adding the
root or nobody user to some auxiliary groups or changing the home
directory this has a chance of breaking.

What's the precise usecase for adding the auxiliary groups? I mean,
the root user generally doesn't need them as it tends to be able to
override access controls anyway...

Lennart

-- 
Lennart Poettering, Red Hat
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux