Supplementary groups not set for user jobs

Reported by ValVe on 2011-07-19
62
This bug affects 13 people
Affects Status Importance Assigned to Milestone
upstart
Undecided
Unassigned

Bug Description

Upstart should be able to (optionally?) assign supplementary groups to user job processes.

When running user jobs, upstart SETGIDs them to a primary group only, therefore crippling the user's ability to run jobs requiring group-specific privileges (for example, reading from audio device or webcam, which assumes membership in audio and video groups).

ValVe (valve-via) wrote :

This patch adds supplementary groups to user process using initgroups() function from <grp.h>
It also includes SETGID patch from Bug #807293 as it is essentially useless without it.

Steve Langasek (vorlon) wrote :

A fix for this has been committed in upstream revision 1396.

Changed in upstart:
status: New → Fix Committed
Changed in upstart:
status: Fix Committed → Fix Released
Andri Möll (moll) wrote :

Anyone looking for an alternative until this gets released to Ubuntu might want to look into /usr/bin/sg. You can set up additional groups with that prior to firing up your setgid'ed service.

offby1 (offby1) wrote :

As far as I can tell, "sg" only sets the "effective group ID", of which your process has exactly one; but it doesn't add to the "supplementary group IDs". In my case, I wanted my process to have both, and "sg" wasn't helping. So I found this workaround: instead of having ``setuid logstash`` followed by ``exec java -jar logstash-1.3.3-flatjar.jar agent -f /etc/shipper.conf``, I got rid of the ``setuid`` and used ``exec sudo -u logstash bash -c "java -jar logstash-1.3.3-flatjar.jar agent -f /etc/shipper.conf"``. Turns out that "sudo" sets all the supplementary GIDs for me.

Andri Möll (moll) wrote :

Offby1, why the extra /bin/bash invocation? Why not straight /usr/bin/java?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers