[Zope] supplemental group ids (Linux)

Kip Rugger rugger@pangea.ca
4 Sep 2000 15:31:25 -0500


I noticed when starting Zope as root (to get privilaged ports),
but requesting suid to `nobody' (start -u nobody) the resulting
processes have the correct uid and gid, but the supplemental
group id list still has the appropriate value for root.  This
means that the Zope process could, for example, write to files
that may belong to root.

It's not clear whether this deserves a bug report, so I though
I'd ask here instead.


The fix is easy (and very lightly tested):

1) grab and install the supplemental gid package (for python)
   http://www.ccraig.org/software/group.c

2) patch (for 2.2.0)

--- z2.py.orig	Fri Jun 30 10:23:53 2000
+++ z2.py	Mon Sep  4 14:33:51 2000
@@ -682,13 +682,20 @@
         if type(UID) == type(""):
             uid = pwd.getpwnam(UID)[2]
             gid = pwd.getpwnam(UID)[3]
+            uname = UID
         elif type(UID) == type(1):
             uid = pwd.getpwuid(UID)[2]
             gid = pwd.getpwuid(UID)[3]
+            uname = pwd.getpwuid(UID)[1]
         else:
             raise KeyError 
         try:
             if gid is not None:
+                try:
+                    import group
+                    group.initgroups(uname, gid)
+                except:
+                    pass
                 try:
                     os.setgid(gid)
                 except OSError: