[systemd-devel] getgroups returning a diferent result
Michael Chapman
mike at very.puzzling.org
Fri Jun 15 08:32:02 UTC 2018
On Fri, 15 Jun 2018, Jérémy Rosen wrote:
> Partial answer, I don't know all the details...
>
> We are all taught in school that each unix user belongs to to a certain number
> of groups, and that is defined in /etc/passwd.
>
> That's kinda true, but it's an oversimplification.
>
> Each PROCESS has a user and a set of groups. Those groups are set when login
> (or whoever does the login process) switch
> from running as root to running as your user. At that point, it will
> explicitely read /etc/passwd, set the correct groups then
> switch to the final UID (which can't change groups anymore)
>
> This is the normal process when you login, but its a convention, not something
> that is enforced by the kernel.
>
> IIUC systemd does not do that for services. Services only have a UID, a main
> GID but no supplementary GIDs.
>
> Supplementary GID must be set explicitely with SupplementaryGroups= in
> [Service] They won't be read from /etc/passwd
>
> That's my understanding, at least, someone else might know better...
systemd does call initgroups(3) -- which populates a process's
supplementary group list -- but only when the GID is _not_ 0. There's a
comment in the code that it is to avoid an NSS lookup in this case, though
I must admit I don't know the full rationale for it.
It's probably got something to do with the fact that the group database
in NSS won't necessarily be available early during boot, especially if
it's backed onto some network service.
More information about the systemd-devel
mailing list