[00:30] <goraxe> ion: I have updated my branch to meet your review comments
[00:30] <ion> Great, thanks
[00:31] <goraxe> do you think this a feature thats likely to get merged?
[00:36] <ion> There’s definitely demand for that, and it would be nice to have while full PAM support is still in TODO. The change isn’t invasive either. Ultimately it’s up to Keybuk, though.
[00:37] <goraxe> coll thanks
[00:37] <goraxe> doh
[00:37] <goraxe> *cool 
[00:37] <ion> There are still some function calls in the “foo()” style instead of “foo ()”. Oh, and the first instance of JOB_PROCESS_ERROR_SETUID is probably a typo, it should be _USER i guess.
[00:37] <goraxe> space between function (parms)?
[00:37] <ion> Yeah, that’s the coding style in Upstart.
[00:37] <Keybuk> ion: "for that" ?
[00:38] <ion> keybuk: For setuid support in jobs. https://code.edge.launchpad.net/~goraxe/upstart/user_sid/+merge/31905
[00:39] <Keybuk> randomly quick comments
[00:39] <Keybuk> "user" should be "uid" (since it's set uid, not PAM user support)
[00:39] <Keybuk> should support "uid 1000" as well as "uid messagebus"
[00:39] <Keybuk> setgid? initgroups?
[00:42] <goraxe> user -> uid sure can do, setgid yep, spotting uid \d vs \w ... may need some advice, initgroups guessing that sets up non primary group member ship?
[00:43] <Keybuk> all group membership in fact
[00:43] <Keybuk> if you just setuid() like that, it'll still be gid 0
[00:43] <Keybuk> which may have surprising consequences permissions-wise
[00:43] <goraxe> yep can see that 
[00:45] <Keybuk> hmm, actually, can't remember whether initgroups sets the primary group or not ;)
[00:46] <goraxe> I will check the manpage for usage
[00:46] <ion> The man page only seems to talk about the supplementary group list.
[00:46] <goraxe> ta
[00:46] <goraxe> :-)
[00:47] <Keybuk> you may need to setgid (user->pw_gid) as well
[00:47] <Keybuk> in which case, definitely add a "gid" support in too
[00:47] <goraxe> if gid not set use ->pw_gid ?
[00:50] <goraxe> should uid and gid be looked up at parse time instead of job spawn time?
[00:50] <Keybuk> exactly
[00:50] <Keybuk> hmm
[00:50] <Keybuk> looking up user and group ids is complex
[00:51] <Keybuk> at parse time is when init starts, you almost certainly don't have nsswitch by then ;-)
[00:51] <Keybuk> LDAP, Kerberos, etc. won't be up
[00:51] <Keybuk> (no network, for a start!)
[00:51] <Keybuk> one bright side of doing this in job_process is that it's also done in a child, so any issues just prevent spawning, rather than holding up or crapping up the init daemon
[00:52] <Keybuk> sure you get no cacheing, but then setuid isn't really common enough to cache
[00:52] <Keybuk> certainly if any two services spawned *share* a uid (benefit to cacheing) they're probably doing it wrong from a security POV
[00:53] <goraxe> my use case for this is entirly for local user services, and we have a LDAP/kerberos env 
[00:54] <goraxe> basicly we have started using exec su <user> -c <command>  ... which i think is quite ugly ...
[00:54] <Keybuk> yeah, su gives you a PAM session though
[00:54] <Keybuk> which may be what you want
[00:56] <goraxe> hmm ... you may have a point ... I think for our trivial cases we just want to spawn daemons at statup keep em running if they crash, and do some basic priv dropping
[00:56] <goraxe> ie this would be a good start, but I agree would not cover all cases
[00:56] <goraxe> how much of the pam stuff have you got scoped out?
[00:57] <Keybuk> the PAM stuff is easy
[00:57] <Keybuk> thinking about how a user of the same uid would restart a service - that's hard :)
[00:57] <Keybuk> the "uid"/"gid" stuff is just a property of a system service in this case, so just required someone to care enough to implement it
[00:57] <Keybuk> I've no problem with applying it into the next 0.6 release once it's ready
[00:58] <goraxe> cool, thanks
[01:00] <goraxe> on that note I really should call it a night
[12:28] <sacarde> hi
[18:41] <morgan__> hello there, i was wondering if there is any list of integrated upstart signals such as "start on net-device-added" or "start on filesystem" available ? 
[23:44] <goraxe> ion, Keybuk: I have done some more work to change to uid & gid stanza 
[23:45] <goraxe> I'm having a bit of a problem with initgroups though 
[23:49] <goraxe> it seems to only work if the process is running as root, even chmod +s on the file did not give it enough perms
[23:49] <goraxe> the file being test_job_process