[Zope] setuid, setgid, secondary groups and inheritance

dman dman@dman.ddts.net
Wed, 15 May 2002 19:16:00 -0500


--Q68bSM7Ycu6FN28Q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable


Note: I've crossposted both the debian-user and zope lists because
this issue relates to both.  Do the Right Thing with replies (and I
won't complain if I happen to get a duplicate copy one way or
another).


I am using Debian GNU/Linux (x86) with kernel 2.4.18, libc6 2.2.5-6,
and zope 2.5.1-1.=20

After zope (z2.py) calls setuid() and setgid() to drop its root
privileges the following odd results are seen :
    o   it properly switches to www-data:www-data

    o   it retains the privilege of all the secondary groups root had
        (root and lpadmin)

    o   it does NOT obtain the privilege of any of www-data's
        secondary groups

This can be observed by adding the lines
    print "before"
    os.system( "groups" )

    print "after"
    os.system( "groups" )
around the code where the setuid/setgid calls are and watching the
terminal that zope is started from.

The effect this had was to make roundup not work.  I've temporarily
worked around this by adding root to the 'rsupport' group (which
www-data is already in).


Does anyone know why zope would display the above misbehavior with
respect to group membership?  I think it is a bug somewhere, but I
don't know where (or how to solve it).

TIA!
-D

--=20

"...the word HACK is used as a verb to indicate a massive amount
of nerd-like effort."  -Harley Hahn, A Student's Guide to Unix
=20
GnuPG key : http://dman.ddts.net/~dman/public_key.gpg


--Q68bSM7Ycu6FN28Q
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjzi+kAACgkQO8l8XBKTpRQwPACeKtviaQLBNBQSROW4j3qtbzXx
ff8An0COksVLkF2eJBA5sBxWBI1V2AGp
=RFqZ
-----END PGP SIGNATURE-----

--Q68bSM7Ycu6FN28Q--