On Thu, Jun 28, 2012 at 01:15:52AM +0200, Wouter Verhelst wrote: > On Mon, Jun 25, 2012 at 03:32:55AM +0400, Dmitry V. Levin wrote: > > Before this change, there was no way to clear or change supplementary > > groups at all, which is usually required to be done along with changing > > UID and GID. This change introduces a new global config boolean option > > "setgroups" and enables it by default. When this option is set to true, > > - "group" option will additionally clear the list of supplementary groups; > > This is sensible, I suppose. > > > - unless "group" option is specified, "user" option will additionally > > change both GID and the list of supplementary groups to those defined > > by the given user name. > > I'm not sure about that one; I think setting a group based on an option > called "user" -- if there is no option "group" specified -- is going to > be counterintuitive. >From my PoV, switching UID without switching GID and supplementary groups hardly has a practical sense, so it is most likely a configuration error rather than a conscious decision. > Instead, it might be better to redefine the "group" option as a > comma-separated list, so that multiple groups can be set in the > configuration file, if needs be. Since each user name defines not only UID but also GID and supplementary groups, such a change would encourage users to duplicate configuration already defined in the system. It's a pity that "group" option exists at all, "user" option would be enough. -- ldv
Attachment:
pgpWXduX3kCNq.pgp
Description: PGP signature