TransWikia.com

How to run systemd user service with multiple Unix groups? (LDAP provides group membership)

Super User Asked by Ruben on October 4, 2020

I have a systemd user service which needs to access a folder owned by a Unix group which is inside another folder owned by another Unix group. "Others" do not even have read access. The user of the systemd service is a member of both these groups and can normally access this folder. However, the systemd service only appears to have the privileges of one of the groups.. I have tried the Group= configuration in the service file, but it does not let me select multiple simultaneous groups.

How can I reach these files from within the systemd service?

Update:

The SupplementaryGroups= setting (as suggested by JayEye) is probably the correct answer in most cases, but it does not work in my case. I get

Failed at step GROUP spawning ..... : Operation not permitted

I see the "/lib/systemd/systemd –user" process itself only runs with one group. Maybe what complicates things is that the group memberships in my setup are provided via LDAP and not set in /etc/group?

file permissionsldapprivilegessystemd

2 Answers

When booting the computer, the systemd user daemon is started (via lingering) before the group membership information is received from the LDAP server. At this point in time, rather /etc/group is inspected for group membership. The fix is therefore simple: The user has to be added to the extra group also in /etc/group on the local machine.

So if you have root access on the machine, add this to the bottom of /etc/group for each extra group needed and restart the computer:

mygroup:x:mygid:myuser

It is important that mygid matches the same GID (group identifier) given by the LDAP server.

In this case, SupplementaryGroups= is actually not necessary.

(Without the "Update:" provided in the question, the answer by @JayEye (https://superuser.com/a/1588291/852516) is probably correct for most people ending up on this question.)

Correct answer by Ruben on October 4, 2020

https://freedesktop.org/software/systemd/man/systemd.exec.html#SupplementaryGroups

Example:

[Unit]
Description=Foobar service
After=network.target

[Service]
Type=oneshot
RemainAfterExit=no
PrivateTmp=false
WorkingDirectory=/tmp
SupplementaryGroups=0 1 adm
ExecStart=/bin/bash -c 'groups >> /tmp/foobargroups'
ExecReload=/bin/bash -c 'groups >> /tmp/foobargroups'


[Install]
WantedBy=multi-user.target

Start it; then you'll see root daemon adm in /tmp/foobargroups

Answered by JayEye on October 4, 2020

Add your own answers!

Ask a Question

Get help from others!

Recent Questions

Recent Answers

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP