Path: csiph.com!newsfeed.hal-mli.net!feeder3.hal-mli.net!newsfeed.hal-mli.net!feeder1.hal-mli.net!npeer03.iad.highwinds-media.com!news.highwinds-media.com!feed-me.highwinds-media.com!postnews.google.com!glegroupsg2000goo.googlegroups.com!not-for-mail From: jeff <3beezer@gmail.com> Newsgroups: comp.lang.python Subject: Inconsistency between os.getgroups and os.system('groups') after os.setgroups() Date: Sun, 25 Mar 2012 14:32:00 -0700 (PDT) Organization: http://groups.google.com Lines: 21 Message-ID: <19158239.1073.1332711120749.JavaMail.geo-discussion-forums@ynlx41> NNTP-Posting-Host: 24.9.68.28 Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Trace: posting.google.com 1332711121 21665 127.0.0.1 (25 Mar 2012 21:32:01 GMT) X-Complaints-To: groups-abuse@google.com NNTP-Posting-Date: Sun, 25 Mar 2012 21:32:01 +0000 (UTC) Complaints-To: groups-abuse@google.com Injection-Info: glegroupsg2000goo.googlegroups.com; posting-host=24.9.68.28; posting-account=gr_YLgoAAAAnxbkitFI4LHjYolWPI16O User-Agent: G2/1.0 X-Received-Bytes: 1989 Xref: csiph.com comp.lang.python:22146 Run this test program as root: import os print "before:", os.getgroups() os.system("groups") os.setgroups([]) print "after:", os.getgroups() os.system("groups") After the os.setgroups, os.getgroups says that the process is not in any gr= oups, just as you would expect. However the groups command run using os.sy= stem says that the process is in the root group. It appears that the new p= rocess started by os.system augments the group membership specified in the = os.setgroups command with the group of the actual user of the original proc= ess (which is root). I can suppress membership in the root group only by d= oing os.setgid and os.setuid before the os.system call (in which case I win= d up in the group of the new user instead of root), but I have to be able t= o get back to root privilege so I can't use setgid and setuid. How do I ru= n a program from a Python script running as root such that the group member= ship of the process running the program does not include root?