Add support for supplementary groups

Implement supplementary group support for services, allowing them to
access resources owned by multiple groups. Uses the @user:group,sup1,sup2
syntax to explicitly specify supplementary groups, as finit does not read
group membership from /etc/group.

Author: aanderse

doc/config/services.md

@@ -116,10 +116,27 @@ Non-privileged Services
 
 Every `run`, `task`, or `service` can also list the privileges the
 `/path/to/cmd` should be executed with.  Prefix the command with
-`@USR[:GRP]`, group is optional, like this:
+`@USR[:GRP[,SUPP,...]]`, where group and supplementary groups are
+optional, like this:
 
     run [2345] @joe:users logger "Hello world"
 
+> [!IMPORTANT]
+> Finit does **not** read supplementary group membership from
+> `/etc/group`.  If a service needs access to resources owned by
+> supplementary groups, they must be explicitly listed in the
+> configuration.  A maximum of 4 supplementary groups can be specified.
+
+To run a service with supplementary groups, append them after the
+primary group, separated by commas:
+
+    service @caddy:caddy,www-data,ssl-cert /usr/bin/caddy run
+
+This runs the `caddy` service as user `caddy`, with primary group
+`caddy`, and supplementary groups `www-data` and `ssl-cert`.  This
+is useful when a service needs access to files or resources owned
+by multiple groups, such as TLS certificates or shared web content.
+
 For multiple instances of the same command, e.g. a DHCP client or
 multiple web servers, add `:ID` somewhere between the `run`, `task`,
 `service` keyword and the command, like this:

src/service.c

@@ -25,6 +25,7 @@
 #include "config.h"		/* Generated by configure script */
 
 #include <ctype.h>		/* isblank() */
+#include <grp.h>			/* setgroups() */
 #include <sched.h>		/* sched_yield() */
 #include <string.h>
 #include <sys/reboot.h>
@@ -560,6 +561,26 @@ static pid_t service_fork(svc_t *svc)
 				      svc_ident(svc, NULL, 0), rlim2str(i));
 		}
 
+#ifndef ENABLE_STATIC
+		/* Set supplementary groups */
+		if (svc->num_supgroups > 0) {
+			gid_t supgids[MAX_NUM_SUPGROUPS];
+			int i, n = 0;
+
+			for (i = 0; i < svc->num_supgroups; i++) {
+				int g = getgroup(svc->supgroups[i]);
+				if (g < 0) {
+					warn("%s: unknown supplementary group '%s'",
+					     svc_ident(svc, NULL, 0), svc->supgroups[i]);
+					continue;
+				}
+				supgids[n++] = g;
+			}
+			if (n > 0 && setgroups(n, supgids))
+				err(1, "%s: failed setgroups()", svc_ident(svc, NULL, 0));
+		}
+#endif
+
 		/* Set desired user+group */
 		if (gid >= 0) {
 			if (setgid(gid))
@@ -1957,7 +1978,29 @@ int service_register(int type, char *cfg, struct rlimit rlimit[], char *file)
 		char *ptr = strchr(username, ':');
 
 		if (ptr) {
+			char *sup;
+
 			*ptr++ = 0;
+			/* Check for supplementary groups: group,sup1,sup2,... */
+			sup = strchr(ptr, ',');
+			if (sup) {
+				*sup++ = 0;
+				svc->num_supgroups = 0;
+				while (sup) {
+					char *next = strchr(sup, ',');
+					if (next)
+						*next++ = 0;
+					if (svc->num_supgroups >= MAX_NUM_SUPGROUPS) {
+						warn("%s: too many supplementary groups, max %d",
+						     svc->cmd, MAX_NUM_SUPGROUPS);
+						break;
+					}
+					strlcpy(svc->supgroups[svc->num_supgroups], sup,
+						sizeof(svc->supgroups[0]));
+					svc->num_supgroups++;
+					sup = next;
+				}
+			}
 			strlcpy(svc->group, ptr, sizeof(svc->group));
 		}
 		strlcpy(svc->username, username, sizeof(svc->username));

src/svc.h

@@ -101,6 +101,7 @@ typedef enum {
 #define MAX_STR_LEN      64
 #define MAX_COND_LEN     (MAX_ARG_LEN * 3)
 #define MAX_USER_LEN     16
+#define MAX_NUM_SUPGROUPS 4
 #define MAX_NUM_FDS      64	     /* Max number of I/O plugins */
 #define MAX_NUM_SVC_ARGS 64
 
@@ -191,6 +192,8 @@ typedef struct svc {
 	/* Identity */
 	char	       username[MAX_USER_LEN];
 	char	       group[MAX_USER_LEN];
+	char	       supgroups[MAX_NUM_SUPGROUPS][MAX_USER_LEN];
+	int		       num_supgroups;
 	char	       capabilities[MAX_CMD_LEN];
 
 	/* Command, arguments and service description */