Bug#993488: maybe reason for wontfix?

[Philipp Kern <pkern@debian.org>]

On 2021-09-03 14:23, Tomas Pospisek wrote:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993488#16 contains a
> "wontfix + close" but no rationale. Which leaves the original reporter
> with a large "?" I guess.
>
> I am guessing that the reason for the "wontfix" is "that's just how
> Unix works unfortunately" aka "that's a Unix design bug"? Is my guess
> correct?
>
> One other question - any idea on a way forward here? I would guess
> that behaviour (changing group membership won't change group
> membership of running processes) is rooted somewhere quite low in the
> stack, maybe in the kernel itself (or in posix :-#)? So if the
> original reporter would want to go ahead and look to that problem
> beeing fixed would he need to go talk to the kernel mailing list or do
> you have idea where he could go to?

Processes in *nix inherit permissions. That's inherent to the design. If 
you want more guarantees, you need to move from discretionary access 
control (based on the identity at the time of process (tree) creation) 
to mandatory access control (e.g. SELinux).

Kind regards
Philipp Kern