[python-daemon-Bugs][315239] ‘os.initgroups’ fails with PermissionError
    python-daemon-bugs at alioth.debian.org 
    python-daemon-bugs at alioth.debian.org
       
    Sat Jan 30 03:28:36 UTC 2016
    
    
  
python-daemon-Bugs item #315239 was changed at 2016-01-30 14:28 by Ben Finney
You can respond by visiting: 
https://alioth.debian.org/tracker/?func=detail&atid=413098&aid=315239&group_id=100328
>Status: Closed
Priority: 3
Submitted By: Adrian M (thiefmaster-guest)
Assigned to: Ben Finney (bignose-guest)
Summary: ‘os.initgroups’ fails with PermissionError 
Initial Comment:
The use of ‘os.initgroups’ fails on Linux when the calling process does not have the ‘CAP_SETGID’ process capability.
Typically, this fails when running without root privileges (which is a perfectly valid use case), raising a PermissionError exception.
----------------------------------------------------------------------
>Comment By: Ben Finney (bignose-guest)
Date: 2016-01-30 14:28
Message:
> Since unconditionally setting the process owner has been fine in all earlier versions, I won't make it conditional now.
> Instead I'll change the default for the ‘initgroups’ option, to depend on whether the current process owner is the superuser.
Examining the use cases, I have decided to simply switch the default. Any daemon wanting to use ‘initgroups’ can explicitly set the option, and in the absence of correct permissions the failure will be more immediately understandable.
The ‘initgroups’ option now defaults to False (don't use ‘os.initgroups’) in ‘python-daemon’ 2.1.1.
----------------------------------------------------------------------
Comment By: Ben Finney (bignose-guest)
Date: 2015-12-12 11:17
Message:
> I've pushed a fix for this which checks the uid and euid before trying to change the uid and checks the gid and egid before trying to change the gid.
Thanks for the suggestion.
I am inclined to fix this differently. Since unconditionally setting the process owner has been fine in all earlier versions, I won't make it conditional now.
Instead I'll change the default for the ‘initgroups’ option, to depend on whether the current process owner is the superuser.
----------------------------------------------------------------------
Comment By: Ben Finney (bignose-guest)
Date: 2015-12-12 10:48
Message:
> Since version 2.1, python-daemon always tries to setuid+setgid even if no uid change is necessary.
That has been the case since the beginning; opening the daemon context unilaterally seeks to set the process owner GID and UID).
> This kind of breaking change
So, it isn't a change that the process owner is unconditionally set.
What is new is:
> this happens only with `initgroups=True` which didn't exist before.
which is new in version 2.1.
----------------------------------------------------------------------
Comment By: Justin Patrin (papercrane-guest)
Date: 2015-12-12 08:44
Message:
I've pushed a fix for this which checks the uid and euid before trying to change the uid and checks the gid and egid before trying to change the gid.
https://code.launchpad.net/~reversefold/python-daemon/trunk
----------------------------------------------------------------------
Comment By: Justin Patrin (papercrane-guest)
Date: 2015-12-11 12:39
Message:
+1, also seeing this issue
----------------------------------------------------------------------
Comment By: Adrian M (thiefmaster-guest)
Date: 2015-11-29 01:29
Message:
After having a closer look: this happens only with `initgroups=True` which didn't exist before. Maybe it would be better to make it default to `False`?
----------------------------------------------------------------------
You can respond by visiting: 
https://alioth.debian.org/tracker/?func=detail&atid=413098&aid=315239&group_id=100328
    
    
More information about the python-daemon-bugs
mailing list