upstart

Supplementary groups not set for user jobs

Bug #812870 reported by ValVe on 2011-07-19

78

This bug affects 16 people

Affects		Status	Importance	Assigned to	Milestone
	upstart	Fix Released	Undecided	Unassigned

Bug Description

Upstart should be able to (optionally?) assign supplementary groups to user job processes.

When running user jobs, upstart SETGIDs them to a primary group only, therefore crippling the user's ability to run jobs requiring group-specific privileges (for example, reading from audio device or webcam, which assumes membership in audio and video groups).

Revision history for this message

ValVe (valve-via) wrote on 2011-07-19:

#1

Appends supplementary groups to user job process Edit (1.3 KiB, text/plain)

This patch adds supplementary groups to user process using initgroups() function from <grp.h>
It also includes SETGID patch from Bug #807293 as it is essentially useless without it.

Revision history for this message

Steve Langasek (vorlon) wrote on 2013-01-17:

#2

A fix for this has been committed in upstream revision 1396.

Changed in upstart:
status:	New → Fix Committed

Tom Simnett (tom+launchpad-initforthe) on 2013-01-23

Changed in upstart:
status:	Fix Committed → Fix Released

Revision history for this message

Andri Möll (moll) wrote on 2013-03-03:

#3

Anyone looking for an alternative until this gets released to Ubuntu might want to look into /usr/bin/sg. You can set up additional groups with that prior to firing up your setgid'ed service.

Revision history for this message

offby1 (offby1) wrote on 2014-02-05:

#4

As far as I can tell, "sg" only sets the "effective group ID", of which your process has exactly one; but it doesn't add to the "supplementary group IDs". In my case, I wanted my process to have both, and "sg" wasn't helping. So I found this workaround: instead of having ``setuid logstash`` followed by ``exec java -jar logstash-1.3.3-flatjar.jar agent -f /etc/shipper.conf``, I got rid of the ``setuid`` and used ``exec sudo -u logstash bash -c "java -jar logstash-1.3.3-flatjar.jar agent -f /etc/shipper.conf"``. Turns out that "sudo" sets all the supplementary GIDs for me.

Revision history for this message

Andri Möll (moll) wrote on 2014-02-05:

#5

Offby1, why the extra /bin/bash invocation? Why not straight /usr/bin/java?

Revision history for this message

offby1 (offby1) wrote on 2014-07-23:

#6

Andri -- sorry to let five months elapse before answering! I have no good reason for using /bin/bash; I suspect it will work as well your way (i.e., /usr/bin/java).

Revision history for this message

Jens Rantil (jens-rantil) wrote on 2014-09-21:

#7

Anyone here who could clarify which package version that contains this fix? Thanks.

Revision history for this message

Vitaly Repin (vitaly-repin) wrote on 2016-03-01:

#8

Patch for upstart 1.5-0ubuntu7.3 Edit (4.2 KiB, text/plain)

I have backported fix from upstart 1.7 to upstart 1.5 (1.5-0ubuntu7.3) used in Ubuntu 12.04.5 LTS (Precise Pangolin)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.