Unitech
--user (and --gid) loses additional group memberships of user according to /etc/group
What's going wrong?
If using --user foo then the process will run as [uid=foo] [gid=foo] and no extra group memberships even if the user is in additional groups according to /etc/group
E.g. I had the following - user 'verdaccio' (NPM repo) that I had also added to the www-data group to be able to read a htpasswd format file used by subversion also:
root@eu-w-code:/home/verdaccio# cat /etc/group | grep verdaccio
www-data:x:33:verdaccio
verdaccio:x:1009:
root@eu-w-code:/home/verdaccio# ls -ld /etc/subversion/svnusers
-rw-r----- 1 root www-data 914 Oct 4 11:29 /etc/subversion/svnusers
If I installed verdaccio as pm2 start "id; /usr/bin/verdaccio" --user verdaccio it logs:
0|verdacci | uid=1008(verdaccio) gid=1009(verdaccio) groups=1009(verdaccio)
If I su - verdaccio and run id it outputs both group memberships:
uid=1008(verdaccio) gid=1009(verdaccio) groups=1009(verdaccio),33(www-data)
If I install with pm2 using pm2 start "id; /usr/bin/verdaccio" --user verdaccio --gid www-data it loses access to the verdaccio default group of the user:
0|verdacci | uid=1008(verdaccio) gid=33(www-data) groups=33(www-data)
How could we reproduce this issue?
Create a user that belongs to a 2nd group and log the groups it belongs to when running under pm2.
Supporting information
I believe this is because --user only uses process.setuid() and --gid only uses process.setgid(), see:
https://github.com/Unitech/pm2/blob/da59cb6dd761546686e5f89dbc8126672d8b3460/lib/ProcessContainer.js#L90
There is an additional process.setgroups() that can take an additional list of groups, but this is not being used or supported now:
https://nodejs.org/api/process.html#processsetgroupsgroups
Ideally when running with --user it should inherit all the groups of the user by doing a process.setgroups() also, although I have no idea on how to get that list of group ids.
See also: https://unix.stackexchange.com/a/118790
--- PM2 report ----------------------------------------------------------------
Date : Wed Feb 23 2022 11:20:30 GMT+0100 (Central European Standard Time)
===============================================================================
--- Daemon -------------------------------------------------
pm2d version : 5.2.0
node version : 14.19.0
node path : /usr/bin/pm2
argv : /usr/bin/node,/usr/lib/node_modules/pm2/lib/Daemon.js
argv0 : node
user : root
uid : 0
gid : 0
uptime : 36min
===============================================================================
--- CLI ----------------------------------------------------
local pm2 : 5.2.0
node version : 14.19.0
node path : /usr/bin/pm2
argv : /usr/bin/node,/usr/bin/pm2,report
argv0 : node
user : root
uid : 0
gid : 0
===============================================================================
--- System info --------------------------------------------
arch : x64
platform : linux
type : Linux
cpus : Intel(R) Xeon(R) CPU E5-2676 v3 @ 2.40GHz
cpus nb : 2
freemem : 308482048
totalmem : 8341159936
home : /root
===============================================================================
Same problem
PM2 report
--- PM2 report ----------------------------------------------------------------
Date : Fri Apr 22 2022 18:41:15 GMT+0100 (Central European Standard Time)
===============================================================================
--- Daemon -------------------------------------------------
pm2d version : 5.2.0
node version : 16.14.2
node path : not found
argv : /usr/bin/node,/usr/lib/node_modules/pm2/lib/Daemon.js
argv0 : node
user : root
uid : 0
gid : 0
uptime : 73min
===============================================================================
--- CLI ----------------------------------------------------
local pm2 : 5.2.0
node version : 16.14.2
node path : /usr/bin/pm2
argv : /usr/bin/node,/usr/bin/pm2,report
argv0 : node
user : root
uid : 0
gid : 0
===============================================================================
--- System info --------------------------------------------
arch : x64
platform : linux
type : Linux
cpus : Intel(R) Xeon(R) CPU E5-2695 v2 @ 2.40GHz
cpus nb : 4
freemem : 3568427008
totalmem : 4121739264
home : /root
===============================================================================
I use sockets, and need shared group for nginx and nodejs apps (and separate apps access)
# cat /etc/group | grep node
node-apps:x:997:app1,app2,app3,nginx
# ls -la /run/nodejs/
drwxrwsr-x 2 root node-apps 60 .
drwxr-xr-x 24 root root 740 ..
srwxrwxr-x 1 app1 node-apps 0 app1.socket
srwxrwxr-x 1 app2 node-apps 0 app2.socket
srwxrwxr-x 1 app3 node-apps 0 app3.socket
# ls -la /var/node-apps
drwxrwxr-x 5 root node-apps 4096 .
drwxr-xr-x 13 root root 4096 ..
drwxr-x--- 4 app1 node-apps 4096 app1
drwxr-x--- 4 app2 node-apps 4096 app2
drwxr-x--- 4 app3 node-apps 4096 app3
Without pm2 all works as expected:
# sudo -u app1 npx --no-install nuxt start
Current uid: 1000, gid: 1000, groups: 997,1000
Listening: unix+http:///run/nodejs/app1.socket
With pm2 failed (in ecosystem same uid,gid):
2022-04-22T17:32:23: PM2 log: App [app1:1] starting in -cluster mode-
2022-04-22T17:32:23: PM2 log: App [app1:1] online
Current uid: 1000, gid: 1000, groups: 1000
FATAL listen EACCES: permission denied /run/nodejs/app1.socket
And found old discussion about process.setgroups() #2254
