Correctly add auxiliary groups.

Also ensure that owning uids are members of data groups that they join.

1 files changed, 10 insertions, 6 deletions

diff --git a/rainbow/rainbow/inject.py b/rainbow/rainbow/inject.py
index a8812f3..0b01f3b 100644
--- a/rainbow/rainbow/inject.py
+++ b/rainbow/rainbow/inject.py
@@ -60,6 +60,7 @@ def reserve_group(log, spool, owner_uid, uid, group):
     # Only join groups that we own.
     assert readlink(owner_path) == str(owner_uid)
     open(join(map_dir, str(uid)), 'w').close()
+    open(join(map_dir, str(getpwuid(owner_uid).pw_name)), 'w').close()
     return gid
 
 def grab_home(_, spool, uid, __, owner_gid):
@@ -200,23 +201,26 @@ def check_home(uid, gid, home):
     ck = Checker(home, uid, gid)
     assert ck.positive(R_OK | W_OK | X_OK, S_IFDIR)
 
-def maybe_add_gid(owner_uid, gid):
+def maybe_add_gid(log, owner_uid, gid):
     # rainbow should only let you drop privilege.
-    return getpwuid(owner_uid).pw_name in getgrgid(gid).gr_mem
+    owner = getpwuid(owner_uid).pw_name
+    members = getgrgid(gid).gr_mem
+    log(1, "maybe_add_gid owner: %s members: %s result: %s", owner, members, owner in members)
+    return owner in members
 
 def configure_groups(log, owner_uid, groups, gid, data_group_to_gid, pset):
     groups.insert(0, gid)
 
     for _, data_gid in data_group_to_gid:
-        if maybe_add_gid(owner_uid, data_gid):
-            groups.insert(data_gid)
+        if maybe_add_gid(log, owner_uid, data_gid):
+            groups.insert(0, data_gid)
 
     for cap in ("audio", "video", "serial"):
         try:
             if pset.has_permission(cap):
                 cap_gid = getgrnam(cap).gr_gid
-                if maybe_add_gid(owner_uid, cap_gid):
-                    groups.insert(cap_gid)
+                if maybe_add_gid(log, owner_uid, cap_gid):
+                    groups.insert(0, cap_gid)
         except Exception, e: log(1, "Skipping permission (%s) because of (%s).", cap, e)
     return list(set(groups))