Re: [Nbd] [RFC PATCH] nbd-server: set supplementary groups by default when changing UID/GID
- To: "Dmitry V. Levin" <ldv@...1147...>
- Cc: nbd-general@lists.sourceforge.net
- Subject: Re: [Nbd] [RFC PATCH] nbd-server: set supplementary groups by default when changing UID/GID
- From: Wouter Verhelst <w@...112...>
- Date: Tue, 3 Jul 2012 14:51:38 -0600
- Message-id: <20120703205138.GB1986@...3...>
- In-reply-to: <20120628001917.GA5831@...1147...>
- References: <20120624233255.GD28298@...1147...> <20120627231552.GD7082@...3...> <20120628001917.GA5831@...1147...>
On Thu, Jun 28, 2012 at 04:19:17AM +0400, Dmitry V. Levin wrote:
> On Thu, Jun 28, 2012 at 01:15:52AM +0200, Wouter Verhelst wrote:
> > On Mon, Jun 25, 2012 at 03:32:55AM +0400, Dmitry V. Levin wrote:
> > > Before this change, there was no way to clear or change supplementary
> > > groups at all, which is usually required to be done along with changing
> > > UID and GID. This change introduces a new global config boolean option
> > > "setgroups" and enables it by default. When this option is set to true,
> > > - "group" option will additionally clear the list of supplementary groups;
> >
> > This is sensible, I suppose.
> >
> > > - unless "group" option is specified, "user" option will additionally
> > > change both GID and the list of supplementary groups to those defined
> > > by the given user name.
> >
> > I'm not sure about that one; I think setting a group based on an option
> > called "user" -- if there is no option "group" specified -- is going to
> > be counterintuitive.
>
> From my PoV, switching UID without switching GID and supplementary groups
> hardly has a practical sense, so it is most likely a configuration error
> rather than a conscious decision.
That's not the experience I've had with most daemons. I also disagree
that this is useless; I've had situations where not switching the group
made some sense.
Additionally, this changes current behaviour, which I think is even
worse than bad defaults.
So I'm going to NAK this, I'm afraid.
> > Instead, it might be better to redefine the "group" option as a
> > comma-separated list, so that multiple groups can be set in the
> > configuration file, if needs be.
>
> Since each user name defines not only UID but also GID and supplementary
> groups, such a change would encourage users to duplicate configuration
> already defined in the system. It's a pity that "group" option exists at
> all, "user" option would be enough.
I don't agree with that statement.
--
The volume of a pizza of thickness a and radius z can be described by
the following formula:
pi zz a
Reply to: