[systemd-devel] getgroups returning a diferent result
Lennart Poettering
lennart at poettering.net
Mon Jun 18 10:53:58 UTC 2018
On Do, 14.06.18 21:35, aleivag (aleivag at gmail.com) wrote:
> hi systemd'ers , i'm sure this is known, but for the life of me i cant
> seems to know why.
>
> tldr; aparently i loose all auxiliary groups of root when i execute a unit.
>
> i'll explain (i try this on v238).
>
> when i'm logged in as root, and i execute `id` i get all the groups that
> root belong to. but when i do the same in a systemd unit (e.g. under a
> transien unit, a la systemd-run) i loose all groups. i suspect that this is
> because the getgroups system call returns a different value, but for the
> life of me, i don't know why or how. i'll show
So as you already found out we hardcode the user db entries for two
users in systemd: the root user and the nobody user. We do this as a
safety precaution. Doing user db lookups through NSS frequently means
doing IPC to some service of some form, and if we are the service
manager, and do such NSS calls potentially triggering service
activation, then there's a major risk of deadlocking. Hence, we
special case these two users, and shortcut the lookups internally.
This is normally not a problem, as these users are defined very
stably. However, if local systems deviate, for example by adding the
root or nobody user to some auxiliary groups or changing the home
directory this has a chance of breaking.
What's the precise usecase for adding the auxiliary groups? I mean,
the root user generally doesn't need them as it tends to be able to
override access controls anyway...
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list