From 7d2ecdf4e9325e8c6522536a18fda2a715c74404 Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
 <31488909+miss-islington@users.noreply.github.com>
Date: Sun, 5 Apr 2026 20:41:08 +0200
Subject: [PATCH] [3.11] gh-94632: document the subprocess need for
 extra_groups=() with user= (GH-148129) (#148133)

gh-94632: document the subprocess need for extra_groups=() with user= (GH-148129)
(cherry picked from commit a1cf4430ed89ec702528ef074138c407ccf89946)

Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
---
 Doc/library/subprocess.rst | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Doc/library/subprocess.rst b/Doc/library/subprocess.rst
index c0ae9e5d7aae..5afc0dc556df 100644
--- a/Doc/library/subprocess.rst
+++ b/Doc/library/subprocess.rst
@@ -632,6 +632,12 @@ functions.
    the value in ``pw_uid`` will be used. If the value is an integer, it will
    be passed verbatim. (POSIX only)
 
+   .. note::
+
+      Specifying *user* will not drop existing supplementary group memberships!
+      The caller must also pass ``extra_groups=()`` to reduce the group membership
+      of the child process for security purposes.
+
    .. availability:: POSIX
    .. versionadded:: 3.9
 
-- 
2.47.3