Globally refreshing new group membership - would be needed after some package installations
Christian Ehrhardt
christian.ehrhardt at canonical.com
Thu Aug 2 11:16:04 UTC 2018
Hi,
In certain cases package installations will have to set up new groups,
mostly for access management.
Examples are:
- libvirt to access /var/run/libvirt/libvirt-sock
- lxd to access /var/lib/lxd/unix.socket
- ... also sometimes accessing files, but you get the pattern
Since logins stay as-is in regard to groups, users have to re-login to pick
up those permissions and be able to use the tools.
That is often mitigated by:
- package being preinstalled, so no one realizes the issue
- people deploy a system + set up a recipe automatically and only then log
in
But then there are certain cases which just "feel" bad - a.k.a: "why can't
it just work after being installed".
Yes a user can easily open a new terminal or kick su/newgrp/... manually
!IF! they know what to do.
The next thing that comes to mind is echoing something on install, but who
reads those messages - not worth the effort IMHO.
Finally none of these commonly discussed options [1][2][3] will be
appropriate to be run from a maintainer-script IMHO.
Nor would they fixup the Graphical UI that represents a login as well.
Please get me right, I have every now and then seen issues of "this kind"
and they are often not a big deal - so triage all of those ->wishlist and
ignore them, not really.
But I find it annoying since we spent so much to make Ubuntu easy to
consume and having such rough edges left.
I was wondering if there is a common pattern to resolve this that might
just be unknown to me yet and that I could use in packaging.
OTOH I can already feel the security concerns and bad side effects of
"global group membership refreshes"
And if there would be a common pattern that really works well - we should
probably think of a single dh_group_refresh or something like it instead of
per package fixes.
I'm afraid there is no such mechanism, but wanted at least to ask instead
of giving up prematurely.
[1]:
https://superuser.com/questions/272061/reload-a-linux-users-group-assignments-without-logging-out
[2]:
https://serverfault.com/questions/74934/refresh-supplementary-group-memberships-without-logging-in-again
[3]:
https://unix.stackexchange.com/questions/18796/how-to-apply-changes-of-newly-added-user-groups-without-needing-to-reboot
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20180802/99eb47c8/attachment.html>
More information about the ubuntu-devel
mailing list