[Zope] supplemental group ids (Linux)

Bill Anderson bill@libc.org
Wed, 06 Sep 2000 19:05:06 -0600

Kip Rugger wrote:
> >OK, something is not quite right here.
> >On my unmodified zope, it is properly 'sandboxed'. Perhaps it is the use of
> >the explicit '-u nobody'? I don't do that on
> >my system, which causes Zope to run as nobody implicitly.
> >
> >(When started as root, unless told otherwise, zope will switch to nobody).
> >
> >Try running without the 'u nobody switch, and see what happens. Just out of
> >curiousity.
> No difference.
> I think the point is that Zope does not make any initgroups(3) calls;
> this will be a problem if the particular system needs it.
> I have two such systems:
>     Linux 2.2.16 + glibc-2.1.2
>     NetBSD 1.4


> Under this hypothesis, my question is how could _your_ system work?
> Why is it that you don't have the original primary gid lingering in
> the supplemental list?

Not sure. Here is my setup:
glibc  2.1.3
Kernel 2.2.15
heavilly modified Redhat 6.2 base.

Perhaps it is the kernel? I also have a 2.2.16  (2.1.3 glibc) kernelled machine which exhibits the behavior you see on

I can try it on a 2.2.4test6 kernel too ...

Do not meddle in the affairs of sysadmins, for they are easy to annoy,
and have the root password.