From: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
Date: Sun, 5 Apr 2026 18:07:07 +0000 (-0700)
Subject: gh-94632: document the subprocess need for extra_groups=() with user= (GH-148129)
X-Git-Tag: v3.15.0a8~28
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a1cf4430ed89ec702528ef074138c407ccf89946;p=thirdparty%2FPython%2Fcpython.git

gh-94632: document the subprocess need for extra_groups=() with user= (GH-148129)
---

diff --git a/Doc/library/subprocess.rst b/Doc/library/subprocess.rst
index 9e261a0ca039..fe64daa3291d 100644
--- a/Doc/library/subprocess.rst
+++ b/Doc/library/subprocess.rst
@@ -627,6 +627,12 @@ functions.
    the value in ``pw_uid`` will be used. If the value is an integer, it will
    be passed verbatim. (POSIX only)
 
+   .. note::
+
+      Specifying *user* will not drop existing supplementary group memberships!
+      The caller must also pass ``extra_groups=()`` to reduce the group membership
+      of the child process for security purposes.
+
    .. availability:: POSIX
    .. versionadded:: 3.9