Pm2: User's group ids miss when the app start by pm2

Created on 22 Jun 2017 · 21Comments · Source: Unitech/pm2

What's going wrong?
User's group ids miss when the app start by pm2

How could we reproduce this issue?

1 A user which has multiple groups, for example , garen in (garen, webdev, hxzhao).

[garen@hi-dev-02 upload]$ id
uid=538(garen) gid=539(garen) groups=539(garen),526(webdev),543(hxzhao) context=system_u:system_r:unconfined_t:s0-s0:c0.c1023

2 A test script

[garen@hi-dev-02 upload]$ cat index.js
const child_process = require('child_process');
// let result = child_process.execSync('/usr/sbin/nginx -t', {
// gid: 539
// });

// console.log(result.toString())

if (process.geteuid) {
    console.log(`Current uid: ${process.geteuid()}`);
}

console.log(`Current gids: ${process.getgroups()}`)

3 when I run it by `node index.js` directly , it works well

[garen@hi-dev-02 upload]$ node index.js
Current uid: 538
Current gids: 526,539,543

4 then I run it by pm2

pm2 start --no-autorestart --no-daemon --interpreter node  index.js

the output is ：

[STREAMING] Now streaming realtime logs for [all] processes
08:21:39 17|index   | Current uid: 538
08:21:39 17|index   | [ 539 ]

summary

Groups missing cause permissions loss, for example , in above test script , I cannot exec nginx -t, because nginx belong to the group webdev.

Supporting information

PM2 version: `pm2 -v` : 2.5.0
Node version: `node -v` : v7.2.1
Windows? Mac? Linux? : Linux hi-dev-02 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

Need More Data Pending Release Bug

Source

chaoliu

Most helpful comment

@valette I changed my mind. If you're starting a process as a particular user, then you should be expecting that process to have all of the rights of that user, _including its groups._
I made a new pull request to reflect that.

jmeit on 10 Oct 2017

👍2

All 21 comments

Can't reproduce on ubuntu 16.04 with latest pm2 version and node 7/8, could you try on another machine ?

vmarchaud on 22 Jun 2017

@vmarchaud Thank you for your reply . I will test it on more machine at tomorrow morning .
By the way, above result produced on CentOS 6.5 .

[garen@hi-dev-02 ~]$ lsb_release -a
LSB Version:    :base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
Distributor ID: CentOS
Description:    CentOS release 6.5 (Final)
Release:    6.5
Codename:   Final

chaoliu on 22 Jun 2017

Can't reproduce on MacOS Sierra 10.12.4 (16E195)

chaoliu on 26 Jun 2017

On another CentOS machine , it reproduced.
[front@iZm5ef6h0o28ajba4un2r2Z ~]$ cat /etc/redhat-release
CentOS release 6.5 (Final)

[front@iZm5ef6h0o28ajba4un2r2Z ~]$ id
uid=548(front) gid=548(front) groups=548(front),500(work),547(frontend)

result

16:38:02 8|index    | Current uid: 548
16:38:02 8|index    | Current gids: 548

[front@iZm5ef6h0o28ajba4un2r2Z ~]$ uname -a
Linux iZm5ef6h0o28ajba4un2r2Z 2.6.32-573.22.1.el6.x86_64 #1 SMP Wed Mar 23 03:35:39 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

chaoliu on 26 Jun 2017

Maybe it's coming from Centos ?

vmarchaud on 26 Jun 2017

Maybe , but not sure. I'll dig into the source code later. See if there are any solutions.

chaoliu on 26 Jun 2017

By the way , forever (https://github.com/foreverjs/forever) works well.

chaoliu on 26 Jun 2017

I'm having this issue on Ubuntu 16.04.
Using pm2, logging process.getgroups() displays [0] for me.
But the correct group ids appear when I run the script directly with node.

running: sudo pm2 start index.js --uid my_user
I also tried adding --gid my_user to no avail, unless I omitted the --uid option. But then the script was running as root.

jmeit on 1 Oct 2017

This may be due to the running process Master being in resident memory and launched from a shell that did not have those group privileges. Stop all processes and do a pm2 kill and relaunch the Master pm2 process.

unixmonster on 5 Oct 2017

@unixmonster I killed all pm2 processes and tried the same command sudo pm2 start index.js --uid my_user.
process.getgroups() still logs [0].

jmeit on 5 Oct 2017

FWIW I solved this issue using the initgroups method:

process.initgroups( user, user );
process.setgid( user );
process.setuid( user );

but you need to be root for this

valette on 6 Oct 2017

@valette I was considering putting initgroups() just like that in my pull request, but I didn't want to assume that anyone using --uid would also want the process to run with all of the group permissions of that user. Although, that is what I would want.

jmeit on 6 Oct 2017

maybe this could be optional? Something like --initgroups ?

valette on 9 Oct 2017

jmeit on 10 Oct 2017

👍2

Hi, it seems that commit ccb35ef8ca437043f84f3651e0fc56534d37a143 broke this feature, by removing the call to initgroups. Looking at the code, it seems more complicated to fix this.

valette on 17 Dec 2018

[email protected] seems to be the last working version.

valette on 17 Dec 2018

Hi. Issue still exists in pm2 4.2.1.

My program works when launched manually by user A, it writes a file in a directory belonging to another user B having group in common with user A
When launched by pm2 with a 'pm2 start' command issued by user A, it breaks with a EACCES when attempting to write its file in the same directory as before.
I "solved" the issue by changing the ownership of the target directory: it belongs to user A now

System: Linux 3.16.0-10-amd64 #1 SMP Debian 3.16.81-1 (2020-01-17) x86_64 GNU/Linux

herve-g on 31 Mar 2020

This may be due to the running process Master being in resident memory and launched from a shell that did not have those group privileges. Stop all processes and do a pm2 kill and relaunch the Master pm2 process.

I had the issue and this solved it. Basically, if you modify users / groups while PM2 is already running, it won't see the changes before you restart it (the process manager, not your process in PM2).

Can be done easily & safely with:

pm2 save
pm2 kill
pm2 resurrect

It will save your current processes, kill everything and resurrect them all.

Coriou on 6 Apr 2020

I can confirm this error in pm2 4.2.3

pm2 can't change group at application and the application cannot write logs to the directory in which the group has write permissions.

# pm2 start test/app.config.js --uid site --gid site
/usr/lib/node_modules/pm2/lib/ProcessContainer.js:167
      throw err;
      ^
[Error: EACCES: permission denied, open '/test/logs/out-20.log'] {
  errno: -13,
  code: 'EACCES',
  syscall: 'open',
  path: '/test/logs/out-20.log'
}

# ls -la test
drwxrws--- 2 other-user site 4096 апр  8 16:46 logs

How reproduce:

// run app as 'root' (pm2 always run as root), no errors
# pm2 start test/app.config.js
# cat test/logs/out-16.log 
Current uid: 0
Current gids: 0

// run app as group 'site', no errors
# pm2 start test/app.config.js --gid site
# cat test/logs/out-17.log 
Current uid: 0
Current gids: 1000

// run app as user 'site', no errors
pm2 start test/app.config.js --uid site
cat test/logs/out-19.log 
Current uid: 1000
Current gids: 0

// run app as group 'site' and user 'site', error
pm2 start test/app.config.js --gid site --uid site
cat test/logs/out-18.log
Current uid: 1000
Current gids: 0
cat test/logs/error-18.log 
EPERM, Operation not permitted on call setgid

# pm2 -v
4.2.3
# uname -a
Linux web-shop 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux

# cat index.js 
console.log(`Current uid: ${process.geteuid()}`);
console.log(`Current gids: ${process.getgroups()}`)

guard43ru on 8 Apr 2020

# pm2 -V
4.4.1

# cat logs/error.log
2020-08-31T19:23:43: EPERM, Operation not permitted on call setgid
2020-08-31T19:24:39: EPERM, Operation not permitted on call setgid
2020-08-31T19:24:39: EPERM, Operation not permitted on call setgid

guard43ru on 31 Aug 2020

published in [email protected]