Hello.
I am trying to use Process::GID.change_privilege to get a root process
to assume the full group permissions of a specified user. However, it
seems that the process does not assume the proper group permissions of
the new group.
Consider the following scenario (running on Linux Centos 5):
- I have a normal user account ‘scott’ with UID = GID = 502. This user
belongs to two groups (‘scott’ and ‘testdev’), which can be seen as
follows:
[scott@localhost ~]$ irb
irb(main):001:0> groups
=> “scott testdev\n”
irb(main):002:0>
- Now, when I run the ruby interpreter as root and attempt to switch to
user 502, I get the following output:
[root@localhost ~]# irb
irb(main):001:0> groups
=> “root bin daemon sys adm disk wheel\n”
irb(main):002:0> Process::GID.change_privilege(502)
=> 502
irb(main):003:0> Process::UID.change_privilege(502)
=> 502
irb(main):004:0> groups
=> “scott root bin daemon sys adm disk wheel\n”
irb(main):005:0>
-
Notice here how the process has correctly assumed the privileges of
group ‘scott’, but is missing the ‘testdev’ group. -
Also, why does the process still have all the root user group
privileges too? Should they not have been revoked?
Note: if I do the same thing using shell commands I get the correct
result as expected:
[root@localhost ~]# groups
root bin daemon sys adm disk wheel
[root@localhost ~]# su - scott
[scott@localhost ~]$ groups
scott testdev
[scott@localhost ~]$
Can anyone please explain why this doesn’t work as expected? How can I
achieve this desired outcome with ruby?
Thanks
Scott