Re: [Nbd] [RFC PATCH] nbd-server: set supplementary groups by default when changing UID/GID
- To: "Dmitry V. Levin" <ldv@...1147...>
- Cc: nbd-general@lists.sourceforge.net
- Subject: Re: [Nbd] [RFC PATCH] nbd-server: set supplementary groups by default when changing UID/GID
- From: Wouter Verhelst <w@...112...>
- Date: Tue, 3 Jul 2012 17:15:09 -0600
- Message-id: <20120703231509.GQ1986@...3...>
- In-reply-to: <20120703223211.GA10094@...1147...>
- References: <20120624233255.GD28298@...1147...> <20120627231552.GD7082@...3...> <20120628001917.GA5831@...1147...> <20120703205138.GB1986@...3...> <20120703223211.GA10094@...1147...>
On Wed, Jul 04, 2012 at 02:32:11AM +0400, Dmitry V. Levin wrote:
> Unfortunately, in situations where nbd-server processes are running with a
> privileged group id and a full set of supplementary groups, these
> processes usually would have write access to many more files than one
> would like to allow them.
I agree that this can be a problem in some cases, but it can also be a
feature.
> > Additionally, this changes current behaviour, which I think is even
> > worse than bad defaults.
> >
> > So I'm going to NAK this, I'm afraid.
>
> Would it be acceptable to introduce the same "setgroups" option with the
> same semantics but not enabled by default?
I suppose, yes. I'm still not convinced of its usefulness, but if it
doesn't change current behaviour (and thereby can't surprise users) it's
not a real problem.
It won't be part of 3.2 anymore, though, since I've just released that.
I suppose I should've given you a chance to respond first; sorry 'bout
that.
--
The volume of a pizza of thickness a and radius z can be described by
the following formula:
pi zz a
Reply to: