I fully believe this is a bug in swift and should be fixed. Here is a more elegant solution that appends all existing member groups of a given user to the process so that swift-proxy will respect group memberships set by the admin rather than effectively "clearing" the group memberships. I propose the following patch to /usr/share/pyshared/swift/common/utils.py:
cloudscaling@zm-meth:~$ diff -c utils.py newutils.py
:param user: User name to change privileges to
"""
user = pwd.getpwnam(user)
if os.geteuid() == 0:
! os.setgroups([])
os.setgid(user[3])
os.setuid(user[2])
os.environ['HOME'] = user[5]
--- 849,859 ----
:param user: User name to change privileges to
"""
+
+ groups = [g.gr_gid for g in grp.getgrall() if user in g.gr_mem]
user = pwd.getpwnam(user)
if os.geteuid() == 0:
! os.setgroups(groups)
os.setgid(user[3])
os.setuid(user[2])
os.environ['HOME'] = user[5]
I fully believe this is a bug in swift and should be fixed. Here is a more elegant solution that appends all existing member groups of a given user to the process so that swift-proxy will respect group memberships set by the admin rather than effectively "clearing" the group memberships. I propose the following patch to /usr/share/ pyshared/ swift/common/ utils.py: zm-meth: ~$ diff -c utils.py newutils.py
cloudscaling@
*** utils.py 2014-01-15 07:13:29.500844967 -0800
--- newutils.py 2014-01-15 07:12:57.736974152 -0800
***************
*** 18,24 ****
import errno
import fcntl
import os
! import pwd
import sys
import time
import functools
--- 18,24 ----
import errno
import fcntl
import os
! import pwd, grp
import sys
import time
import functools
***************
*** 849,857 ****
:param user: User name to change privileges to setgid( user[3] ) setuid( user[2] ) environ[ 'HOME'] = user[5]
"""
user = pwd.getpwnam(user)
if os.geteuid() == 0:
! os.setgroups([])
os.
os.
os.
--- 849,859 ----
:param user: User name to change privileges to groups) setgid( user[3] ) setuid( user[2] ) environ[ 'HOME'] = user[5]
"""
+
+ groups = [g.gr_gid for g in grp.getgrall() if user in g.gr_mem]
user = pwd.getpwnam(user)
if os.geteuid() == 0:
! os.setgroups(
os.
os.
os.