Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

initgroups erroneously not defined on macOS #2069

Open
Elizafox opened this issue Jul 8, 2023 · 4 comments
Open

initgroups erroneously not defined on macOS #2069

Elizafox opened this issue Jul 8, 2023 · 4 comments
Labels
A-features

Comments

@Elizafox
Copy link

Elizafox commented Jul 8, 2023
edited

Hello,

For some reason, nix::unistd::initgroups is explicitly not defined for macOS, with no incorrect justification in the docs:

nix/src/unistd.rs

Line 1782 in 75a26cd

target_os = "macos",

This is strange, because the API definitely exists.

I'm unsure if it exists on iOS; I imagine it does, although in most cases it wouldn't be useful (except perhaps for jailbroken systems). But that's probably a separate issue.
@Elizafox
Copy link
Author

Elizafox commented Jul 8, 2023

Okay, I dug through the history and docs, and saw that it said:

"Note: This function is not available for Apple platforms. On those platforms, group membership management should be achieved via communication with the opendirectoryd service."

This is erroneous for this function. OpenDirectory is just for querying the directory. It cannot manage the groups of the process.

This also breaks a lot of daemons that use it to drop privileges, that should otherwise work, for no good reason.

@asomers
Copy link
Member

asomers commented Jul 15, 2023

I don't know enough about OSX to answer your question. @JayH5 can you and @Elizafox figure out how setgroups, getgrouplist, and initgroups are really supposed to work on OSX?

@SteveLauC
Copy link
Member

That erroneous comment comes from this commit, which is a part of #733, I looked through that PR, didn't find anything related to this wrong comment. I think we should update it given that it is not correct.

For these functions, if we accept their weird behaviors (see this question: getgroups() on macOS is not returning all the supplementary groups, but instead just the primary group), then we should expose them, gentle ping on @Elizafox again, I am curious how you would use these function?

As a reference:

Looks like setgroups(2) behaves in the same way as other UNIX implementations, though the manual explicitly says:

Use of setgroups() is highly discouraged.

without giving any reason or alternatives.

@SteveLauC
Copy link
Member

This python doc has some information on this: https://docs.python.org/3/library/os.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-features
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@asomers @Elizafox @SteveLauC