The Puppet Labs Issue Tracker has Moved:

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using See the following page for information on filing tickets with JIRA:

Bug #12459

Permanent uid change doesn't drop supplementary groups

Added by Anonymous almost 4 years ago. Updated almost 4 years ago.

Status:ClosedStart date:02/06/2012
Priority:NormalDue date:
Assignee:Dominic Maraglia% Done:


Target version:-
Affected Puppet version: Branch:

We've Moved!

Ticket tracking is now hosted in JIRA:


3a. Permanent uid change doesn’t drop supplementary groups

When execute_posix or similar forks and calls SUIDManager’s change_user method, it sets permanent=true to change the real uid instead of the euid (lib/puppet/util.rb:307).

In change_user, a different code path is taken when a permanent change is made, and so the supplementary groups aren’t dropped (lib/puppet/util/suidmanager.rb:121), even if the primary group is set.

3b. Demo

This is really easy:

cat setgid.pp

exec { “/usr/bin/id”: user => “nobody”, group => “nobody”, logoutput => true, }

puppet apply setgid.pp

notice: /Stage[main]//Exec[/usr/bin/id]/returns: uid=99(nobody) gid=99(nobody) groups=99(nobody),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),1004(sshusers) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

I haven’t produced a patch for this last problem, though it should be easy enough to fix.


#1 Updated by Anonymous almost 4 years ago

  • Branch set to should have a fix for this. It passes the logic check, and has tests, but I have not finished validating that it actually resolves the global problem. It should.

#2 Updated by Jason McKerr almost 4 years ago

  • Assignee set to Deepak Giridharagopal

#4 Updated by Matthaus Owens almost 4 years ago

  • Status changed from Accepted to Closed
  • Private changed from Yes to No

Released in 2.6.14, 2.7.11

Also available in: Atom PDF