Bug 902479

Summary: supermin-helper doesn't set supplemental groups
Product: Red Hat Enterprise Linux 7 Reporter: Richard W.M. Jones <rjones>
Component: superminAssignee: Richard W.M. Jones <rjones>
Status: CLOSED CURRENTRELEASE QA Contact: Virtualization Bugs <virt-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: bfan, leiwang, lkong, rjones, wshi
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: supermin-4.1.1-2.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 902476 Environment:
Last Closed: 2014-06-13 09:55:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 902476    
Bug Blocks:    

Description Richard W.M. Jones 2013-01-21 18:35:26 UTC 
+++ This bug was initially created as a clone of Bug #902476 +++

Description of problem:

febootstrap-supermin-helper has the -g option on the command
which sets the group that it runs under.  However it does not
set supplemental groups.

For comparison see the work done on vhostmd:
https://bugzilla.redhat.com/show_bug.cgi?id=741289

(Reported by Steve Grubb)

Version-Release number of selected component (if applicable):

febootstrap 3.20
Comment 2 Richard W.M. Jones 2013-07-29 07:53:45 UTC 
Note that febootstrap has been renamed to supermin, and
the helper program has been renamed to 'supermin-helper'.

This bug is fixed in supermin-helper.
Comment 3 Richard W.M. Jones 2013-07-29 10:46:08 UTC 
Steps to reproduce the bug:

(1) You may have to do:

# echo 3 > /proc/sys/vm/drop_caches 

otherwise supermin-helper may run too quickly(!)

(2) In first window, run supermin-helper *as root* like this:

supermin-helper -u 36 -g 36 -f checksum /usr/lib64/guestfs/supermin.d `uname -m`

(3) In second window, run this command *as root*:

# egrep '^(Uid|Gid|Groups)' /proc/`pidof supermin-helper`/status

If the bug is reproduced, you'll see something like this:

Uid:	36	36	36	36
Gid:	36	36	36	36
Groups:	0

The important point is that group 0 (root) has leaked into
supermin-helper.  It should not be there.

If the bug is fixed, you'll see something like:

Uid:	36	36	36	36
Gid:	36	36	36	36
Groups:	36 

There are no root groups being leaked into the Groups line.

Notes:

* Step (2) may run very quickly (it's supposed to).  Dropping caches
may slow it down a bit.

* There is no version of 'supermin-helper' which ever
exhibited this bug.  This bug only occurred in the previous
version which was called 'febootstrap-supermin-helper'.
Comment 4 bfan 2013-07-30 02:29:00 UTC 
Richard,
Thanks for your steps, I can reproduce it with supermin-4.1.1-1.el7.x86_64,

[Windows 1]
[root@]# echo 3 > /proc/sys/vm/drop_caches 
[root@]# supermin-helper -u 36 -g 36 -f checksum /usr/lib64/guestfs/supermin.d `uname -m`
dd6ee9a002e827f30f2d3aa1c5106cdd294bf7dd8692c78dca84e91c2d5dad03

[Windows 2]
[root@]# egrep '^(Uid|Gid|Groups)' /proc/`pidof supermin-helper`/status
Uid:	36	36	36	36
Gid:	36	36	36	36
Groups:	36
Comment 5 Lingfei Kong 2014-01-23 07:53:15 UTC 
Verify with supermin-4.1.4-2.el7
Steps to verify:
[tty1]
[host-a]#echo 3 > /proc/sys/vm/drop_caches
[host-a]#supermin-helper -u 36 -g 36 -f checksum /usr/lib64/guestfs/supermin.d `uname -m`
99522d975c542686af6ed770910578502ca5af25ebd81ebae07531fd7913db22

[tty2]
[host-a]#egrep '^(Uid|Gid|Groups)' /proc/`pidof supermin-helper`/status
Uid:    36      36      36      36
Gid:    36      36      36      36
Groups: 36 

The value of 'Gid' and 'Groups' is 36 which is the requested value. So, bug is fixed.
Comment 6 Ludek Smid 2014-06-13 09:55:49 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.