J
Jan Pokorný
Hello,
in the light of a recent spot in Python Paste [1], I've come across
the python-daemon [2] implementation and found it also lacks support
for supplementary groups.
First, I just wanted to post a patch to the author, but realized
the broader context of PEP 3143 that would probably deserve
revisiting at the first place. As the target Python version
seems not to be decided yet, I see a space for it.
If the spirit of solution [2] was to be followed (i.e., initialize
this list with all groups of which user derived from `uid` is
a member + group derived from `gid` (regardless if `uid`/`gid`
is explicit), no change of the PEP would be necessary.
This fact of intented handling of supplementary groups under the hood
still could be mentioned so the users and authors of compatible
interfaces are aware of this "detail".
Another way (in the spirit of systemd [3]) is to extend the interface
with an option (named, e.g., supplementary_groups) for optional
specification of supplemental groups. The default would be something
as in the previous paragraph.
To be honest, I am not sure how consistently is the concept of
supplementary groups used across various *nixes.
POSIX seems to admit variances, e.g. (via [4]):
----v----
The System Interfaces volume of IEEE Std 1003.1-2001 does not specify
whether the effective group ID of a process is included in its
supplementary group list.
----^----
But I believe this should be addressed before the PEP in question is
brought into effect.
[2] http://groups.google.com/group/paste-users/browse_thread/thread/2aa651ba331c2471
[3] http://0pointer.de/public/systemd-man/systemd.exec.html
[4] http://pubs.opengroup.org/onlinepubs/000095399/utilities/newgrp.html
Regards,
Jan
in the light of a recent spot in Python Paste [1], I've come across
the python-daemon [2] implementation and found it also lacks support
for supplementary groups.
First, I just wanted to post a patch to the author, but realized
the broader context of PEP 3143 that would probably deserve
revisiting at the first place. As the target Python version
seems not to be decided yet, I see a space for it.
If the spirit of solution [2] was to be followed (i.e., initialize
this list with all groups of which user derived from `uid` is
a member + group derived from `gid` (regardless if `uid`/`gid`
is explicit), no change of the PEP would be necessary.
This fact of intented handling of supplementary groups under the hood
still could be mentioned so the users and authors of compatible
interfaces are aware of this "detail".
Another way (in the spirit of systemd [3]) is to extend the interface
with an option (named, e.g., supplementary_groups) for optional
specification of supplemental groups. The default would be something
as in the previous paragraph.
To be honest, I am not sure how consistently is the concept of
supplementary groups used across various *nixes.
POSIX seems to admit variances, e.g. (via [4]):
----v----
The System Interfaces volume of IEEE Std 1003.1-2001 does not specify
whether the effective group ID of a process is included in its
supplementary group list.
----^----
But I believe this should be addressed before the PEP in question is
brought into effect.
[2] http://groups.google.com/group/paste-users/browse_thread/thread/2aa651ba331c2471
[3] http://0pointer.de/public/systemd-man/systemd.exec.html
[4] http://pubs.opengroup.org/onlinepubs/000095399/utilities/newgrp.html
Regards,
Jan