Serious error in ensure_user_groups (in debian)

[jbzdak]

There is a serious error in mentioned method

Here is implementation (at least the most revelant part):

    for user_group in groups:
        self.execute('usermod -G %s %s' % (user_group, username), stdout=False, sudo=True)

If I call ensure_user_groups('foo', ['group1', 'group2']) following statements would be called:

usermod -G group1 foo
usermod -G group2 foo 

While man usermod states:

   -G, --groups GROUP1[,GROUP2,...[,GROUPN]]]
      ...
       If the user is currently a member of a group which is not listed, the user will be removed from the group. This behaviour can be changed via the -a option, which appends the user to the current supplementary group list.

So this would result in foo being member of group1 as usermod -G group2 foo would remove foo from group1