nix
nix copied to clipboard
nix-rust
initgroups erroneously not defined on macOS
Hello,
For some reason, nix::unistd::initgroups is explicitly not defined for macOS, with ~~no~~ incorrect justification in the docs: https://github.com/nix-rust/nix/blob/75a26cd1e0b44c8d953633ee45cfc189cda7e4d7/src/unistd.rs#L1782
This is strange, because the API definitely exists.
I'm unsure if it exists on iOS; I imagine it does, although in most cases it wouldn't be useful (except perhaps for jailbroken systems). But that's probably a separate issue.
Okay, I dug through the history and docs, and saw that it said:
"Note: This function is not available for Apple platforms. On those platforms, group membership management should be achieved via communication with the opendirectoryd service."
This is erroneous for this function. OpenDirectory is just for querying the directory. It cannot manage the groups of the process.
This also breaks a lot of daemons that use it to drop privileges, that should otherwise work, for no good reason.
I don't know enough about OSX to answer your question. @JayH5 can you and @Elizafox figure out how setgroups, getgrouplist, and initgroups are really supposed to work on OSX?
That erroneous comment comes from this commit, which is a part of #733, I looked through that PR, didn't find anything related to this wrong comment. I think we should update it given that it is not correct.
For these functions, if we accept their weird behaviors (see this question: getgroups() on macOS is not returning all the supplementary groups, but instead just the primary group), then we should expose them, gentle ping on @Elizafox again, I am curious how you would use these function?
As a reference:
Looks like setgroups(2) behaves in the same way as other UNIX implementations, though the manual explicitly says:
Use of setgroups() is highly discouraged.
without giving any reason or alternatives.
This python doc has some information on this: https://docs.python.org/3/library/os.html