How to execute systemd-run with supplementary groups

Solution Verified - Updated -

Environment

Red Hat Enterprise Linux (RHEL) 7, 8

Issue

  • We use systemd-run to start the daemon and there are problems with supplementary groups on RHEL7.

  • The daemon is started as root systemd-run --uid <uid> --gid <gid> <command>, but with the incorrect supplementary groups.

  • Instead of having groups associated with the given <uid>, it has groups associated with the root.

Resolution

  • RHEL7 and higher (for RHEL7 this is a workaround):

    # systemd-run runuser -u username -g groupname <command>

  • RHEL8 and higher:

    # systemd-run -p SupplementaryGroups="<gid1> <gid2> ... <gidN>" --uid <uid> --gid <gid> <command>

Root Cause

This is a bug currently tracked by BZ 1914791

Diagnostic Steps

For example, suppose we have the following user and an supplementary group in all RHEL versions:

# grep test /etc/passwd
test:x:1000:1000::/home/test:/bin/bash

# grep abc /etc/group
abc:x:1001:

  • RHEL7:

    # systemd-run -p SupplementaryGroups="1001" --uid 1000 --gid 1000 sleep 1000
Unknown assignment SupplementaryGroups=1001.
Failed to create bus message: No such device or address

  • RHEL8:

    # systemd-run -p SupplementaryGroups="1001" --uid 1000 --gid 1000 sleep 1000
Running as unit: run-rc7ee1488e5e8422a91ee9ec7b8f83cae.service

# grep ^Groups /proc/$(pgrep sleep)/status
Groups: 1000 1001 

# systemctl | grep sleep
run-rc7ee1488e5e8422a91ee9ec7b8f83cae.service        loaded active running   /usr/bin/sleep 1000

# systemctl status run-rc7ee1488e5e8422a91ee9ec7b8f83cae.service
● run-rc7ee1488e5e8422a91ee9ec7b8f83cae.service - /usr/bin/sleep 1000
   Loaded: loaded (/run/systemd/transient/run-rc7ee1488e5e8422a91ee9ec7b8f83cae.service; transient)
Transient: yes
   Active: active (running) since Sun 2020-12-13 14:18:48 EST; 3min 7s ago
 Main PID: 1430 (sleep)
    Tasks: 1 (limit: 23959)
   Memory: 248.0K
   CGroup: /system.slice/run-rc7ee1488e5e8422a91ee9ec7b8f83cae.service
           └─1430 /usr/bin/sleep 1000

Dec 13 14:18:48 r820 systemd[1]: Started /usr/bin/sleep 1000.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments