Skip to content

core: intialize user aux groups and SupplementaryGroups= when DynamicUser= is set#4543

Merged
tixxdz merged 3 commits intosystemd:masterfrom
endocode:djalal/fix-dynamicuser-supplementary-groups
Nov 3, 2016
Merged

core: intialize user aux groups and SupplementaryGroups= when DynamicUser= is set#4543
tixxdz merged 3 commits intosystemd:masterfrom
endocode:djalal/fix-dynamicuser-supplementary-groups

Conversation

@tixxdz
Copy link
Member

@tixxdz tixxdz commented Nov 2, 2016

Make sure that when DynamicUser= is set that we initialize the user supplementary groups and that we also support SupplementaryGroups=

Fixes: #4539

Thanks Evgeny Vereshchagin (@evverx)

@poettering
Copy link
Member

lgtm! thanks for fixing!

@poettering poettering added good-to-merge/waiting-for-ci 👍 PR is good to merge, but CI hasn't passed at time of review. Please merge if you see CI has passed pid1 labels Nov 2, 2016
@poettering poettering added this to the v232 milestone Nov 2, 2016
@evverx
Copy link
Contributor

evverx commented Nov 3, 2016

$ sudo ./libtool --mode=execute ./test-execute
...
exec-dynamicuser-supplementarygroup.service: There's no 'start' task anymore we could start: No child processes
exec-dynamicuser-supplementarygroup.service: Failed to run 'start' task: No such device or address
exec-dynamicuser-supplementarygroup.service: Unit entered failed state.
exec-dynamicuser-supplementarygroup.service: Failed with result 'resources'.
exec-dynamicuser-supplementarygroup.service
    UMask: 0022
    WorkingDirectory: /
    RootDirectory: /
    NonBlocking: no
    PrivateTmp: no
    PrivateDevices: no
    ProtectKernelTunables: no
    ProtectKernelModules: no
    ProtectControlGroups: no
    PrivateNetwork: no
    PrivateUsers: no
    ProtectHome: no
    ProtectSystem: no
    IgnoreSIGPIPE: yes
    MemoryDenyWriteExecute: no
    RestrictRealtime: no
    RuntimeDirectoryMode: 0755
    StandardInput: null
    StandardOutput: inherit
    StandardError: inherit
    DynamicUser: no
Assertion 'service->main_exec_status.code == code_expected' failed at src/test/test-execute.c:70, function check(). Aborting.
Aborted

For the record:

$ cat /proc/version
Linux version 4.7.9-200.fc24.x86_64 ([email protected]) (gcc version 6.2.1 20160916 (Red Hat 6.2.1-2) (GCC) ) #1 SMP Thu Oct 20 14:26:16 UTC 2016

$ systemctl --version
systemd 229
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN

@poettering
Copy link
Member

hmm @tixxdz any chance you can look into this? last thing remaining before v232...

@evverx
Copy link
Contributor

evverx commented Nov 3, 2016

Fix:

index 505af41..6029853 100644
--- a/src/test/test-execute.c
+++ b/src/test/test-execute.c
@@ -262,7 +262,7 @@ static void test_exec_supplementary_groups(Manager *m) {
 static void test_exec_dynamic_user(Manager *m) {
         test(m, "exec-dynamicuser-fixeduser.service", 0, CLD_EXITED);
         test(m, "exec-dynamicuser-fixeduser-one-supplementarygroup.service", 0, CLD_EXITED);
-        test(m, "exec-dynamicuser-supplementarygroup.service", 0, CLD_EXITED);
+        test(m, "exec-dynamicuser-supplementarygroups.service", 0, CLD_EXITED);
 }

 static void test_exec_environment(Manager *m) {
diff --git a/test/test-execute/exec-dynamicuser-supplementarygroups.service b/test/test-execute/exec-dynamicuser-supplementarygroups.service
index 477c953..d5433f2 100644
--- a/test/test-execute/exec-dynamicuser-supplementarygroups.service
+++ b/test/test-execute/exec-dynamicuser-supplementarygroups.service
@@ -2,7 +2,7 @@
 Description=Test DynamicUser with SupplementaryGroups=

 [Service]
-ExecStart=/bin/sh -x -c 'test "$$(id -G | cut -d' ' -f2,4)" = "1 2 3"'
+ExecStart=/bin/sh -x -c 'test "$$(id -G | cut -d " " --complement -f 1)" = "1 2 3"'
 Type=oneshot
 DynamicUser=yes
 SupplementaryGroups=1 2 3

…User= is set

Make sure that when DynamicUser= is set that we intialize the user
supplementary groups and that we also support SupplementaryGroups=

Fixes: systemd#4539

Thanks Evgeny Vereshchagin (@evverx)
@tixxdz tixxdz force-pushed the djalal/fix-dynamicuser-supplementary-groups branch from 4b23d3c to 5c67067 Compare November 3, 2016 07:52
@tixxdz
Copy link
Member Author

tixxdz commented Nov 3, 2016

@evverx thank you for the fix, pushed.

@tixxdz tixxdz merged commit 34f139c into systemd:master Nov 3, 2016
@keszybz keszybz removed the good-to-merge/waiting-for-ci 👍 PR is good to merge, but CI hasn't passed at time of review. Please merge if you see CI has passed label Nov 3, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Development

Successfully merging this pull request may close these issues.

4 participants