Add zuul supplementary groups before setgid/setuid When zuul-executor is dropping root privileges, pull a list of supplementary groups for the target user, to keep them make sure that they are added before calling setgid() and setuid(). Change-Id: I02f724a3fb01b69798681c6f2bbc83852c87246f

commit: 8fd2bb8c9e087fae9932a69bde282349ddfea4a6 [log] [tgz]
author: Krzysztof Klimonda <kklimonda@syntaxhighlighted.com> Fri Sep 29 10:38:35 2017 +0200
committer: Krzysztof Klimonda <krzysztof.klimonda@codilime.com> Fri Sep 29 10:48:59 2017 +0200
tree: 658835a8b409853cb621acfd3ec1a1e21d39593b
parent: d6c74ef78a77a0783bc531eee8878c99bc896a3c [diff]
diff --git a/zuul/cmd/executor.py b/zuul/cmd/executor.py
index 63c621d..70c80c5 100755
--- a/zuul/cmd/executor.py
+++ b/zuul/cmd/executor.py

@@ -22,6 +22,7 @@
 # instead it depends on lockfile-0.9.1 which uses pidfile.
 pid_file_module = extras.try_imports(['daemon.pidlockfile', 'daemon.pidfile'])
 
+import grp
 import logging
 import os
 import pwd
@@ -101,7 +102,10 @@
         if os.getuid() != 0:
             return
         pw = pwd.getpwnam(self.user)
-        os.setgroups([])
+        # get a list of supplementary groups for the target user, and make sure
+        # we set them when dropping privileges.
+        groups = [g.gr_gid for g in grp.getgrall() if self.user in g.gr_mem]
+        os.setgroups(groups)
         os.setgid(pw.pw_gid)
         os.setuid(pw.pw_uid)
         os.umask(0o022)
commit	8fd2bb8c9e087fae9932a69bde282349ddfea4a6	[log] [tgz]
author	Krzysztof Klimonda <kklimonda@syntaxhighlighted.com>	Fri Sep 29 10:38:35 2017 +0200
committer	Krzysztof Klimonda <krzysztof.klimonda@codilime.com>	Fri Sep 29 10:48:59 2017 +0200
tree	658835a8b409853cb621acfd3ec1a1e21d39593b
parent	d6c74ef78a77a0783bc531eee8878c99bc896a3c [diff]