Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FS#988 - Procd does not respect a user's groups when using parameter user #6423

Closed
openwrt-bot opened this issue Aug 28, 2017 · 8 comments
Closed

FS#988 - Procd does not respect a user's groups when using parameter user #6423

openwrt-bot opened this issue Aug 28, 2017 · 8 comments
Labels
flyspray

Comments

@openwrt-bot
Copy link

flipreverse:

Hi folks!

I'm referring to git revision 4b3ffec.
Using this, procd does not respect a user's groups (/etc/group) when starting a service.
In my case, I want a particular service running as a particular user (procd_set_param user foo). The user is a member of several groups, and they are needed when running that service.
However, the service runs as user foo, but he is not a member of the other groups as described in /etc/group. I verified it by using a wrapper script which wrote the output of 'id' to a file.

Steps to reproduce:

  1. Create a user foo having primary group foo and is a member of group bar.
  2. Write a short bash script which write the output of 'id' to a file.
  3. Create a service that starts the aforementioned script.
  4. Have a look at the output. It should say something like this: uid=XXX(foo) gid=xxx(foo).

I expect it to be: uid=XXX(foo) gid=XXX(foo) groups=XXX(bar).

Cheers,
Alex
@openwrt-bot
Copy link
Author

yousong:

Hi, please check relevant entries in /etc/passwd and /etc/group to see if user "foo" has the right primary group id set there. If you are using /lib/functions.sh to add group and users, it's very likely that it generated wrong id in the user/group database.

The following snippet should confirm that.

. /lib/functions.sh # old, buggy way # group_add_next bar; gid=$? gid=$(group_add_next bar) user_add foo "" "$gid"

. /lib/functions/procd.sh
service_triggers() { true; }
procd_open_service foo foo
procd_open_instance bz
procd_set_param user foo
procd_set_param command '/bin/sh' '-c' 'logger $(id)'
procd_close_instance
procd_close_service

@openwrt-bot
Copy link
Author

flipreverse:

Pls excuse my later response. I didn't get any notification about your answer.
Procd works perfectly with respect to a user's primary group. However, a user might be in more than just his or her primary group.
In my case, the user's foo primary group is staff, and he is also member of the group bar.
However, the procd scripts do not respect those groups....

@openwrt-bot
Copy link
Author

por:

Just to understand the issue, what has this to do with procd ?

The user and group information, in case of OpenWrt implemented in passwd/groups, and retrievable with f.i. getent() and id, seems completely unrelated. Or is that data not available in the procd its jail ?

@openwrt-bot
Copy link
Author

yousong:

The issue should be that procd only sets effective group id to user's primary group id while Alexander the reporter expects it also sets supplementary group ids for instance processes ;) I think this is a valid feature request, better than adding another "group" option.

@openwrt-bot
Copy link
Author

yousong:

Hi, Alexander, I just posted 2 patches [1] to the mailing list that should address the issue for you. Please have it a try and see if it works for you. Thank you.

[1] http://patchwork.ozlabs.org/project/lede/list/?series=27951

@openwrt-bot
Copy link
Author

flipreverse:

Yeah, sure! I'll try them.
Unfortunately, I do not see any patches. Do I have to login to see them?

EDIT: Found them: http://patchwork.ozlabs.org/patch/871761/

@openwrt-bot
Copy link
Author

flipreverse:

Where do I find that file instance.c?
I do not have such file in my checkout (https://git.lede-project.org/source.git).

@openwrt-bot
Copy link
Author

flipreverse:

Got it. :) It took me a while to notice that the procd sources are downloaded as a tarball.
I then successfully patched the sources, and it works.

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
flyspray
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@openwrt-bot