Serious error in ensure_user_groups (in debian)
jbzdak opened this issue · comments
Jacek Bzdak commented
There is a serious error in mentioned method
Here is implementation (at least the most revelant part):
for user_group in groups:
self.execute('usermod -G %s %s' % (user_group, username), stdout=False, sudo=True)
If I call ensure_user_groups('foo', ['group1', 'group2'])
following statements would be called:
usermod -G group1 foo
usermod -G group2 foo
While man usermod
states:
-G, --groups GROUP1[,GROUP2,...[,GROUPN]]]
...
If the user is currently a member of a group which is not listed, the user will be removed from the group. This behaviour can be changed via the -a option, which appends the user to the current supplementary group list.
So this would result in foo
being member of group1
as usermod -G group2 foo
would remove foo
from group1