On 11.10.2018 10:08, Heiko W. Rupp wrote:
On Thu, Oct 11, 2018 at 09:51:34AM +0300, Aki Tuomi wrote:
Looking at the source, I see this is handled in src/lib/restrict-access.c::fix_groups_list(), where above the call to setgroups() a gid_list2 is constructed. I wonder if one could have a config option to prevent adding all those extra groups, which then make the call to setgroups() fail
Not trivially. We would need to know which groups to drop and which not. Looking at id output
id uid=501(hwr) gid=20(staff) groups=20(staff),6(mail),12(everyone),61(localaccounts),80(admin),98(_lpadmin),500(users),701(com.apple.sharepoint.group.1),702(com.apple.sharepoint.group.2),30(_keytabusers),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),103(com.apple.access_screensharing-disabled),104(com.apple.access_ssh-disabled)
it seems that all the com.apple ones can easily be dropped. What about a config list, that the admin can set with a list of gids, that can be dropped/are not added to gid_list2 ?
Heiko
Maybe. Have to see when we can implement it though. It could probably leverage the min/max_gid setting.
Aki