Always call setgroups()
We shouldn't skip this if the supplementary group list is empty, because then the sandbox won't drop the supplementary groups of the parent (like "root").
This commit is contained in:
parent
c776dfbb35
commit
b37c2d84b6
|
@ -1988,9 +1988,8 @@ void LocalDerivationGoal::runChild()
|
|||
if (setUser && buildUser) {
|
||||
/* Preserve supplementary groups of the build user, to allow
|
||||
admins to specify groups such as "kvm". */
|
||||
if (!buildUser->getSupplementaryGIDs().empty() &&
|
||||
setgroups(buildUser->getSupplementaryGIDs().size(),
|
||||
buildUser->getSupplementaryGIDs().data()) == -1)
|
||||
auto gids = buildUser->getSupplementaryGIDs();
|
||||
if (setgroups(gids.size(), gids.data()) == -1)
|
||||
throw SysError("cannot set supplementary groups of build user");
|
||||
|
||||
if (setgid(buildUser->getGID()) == -1 ||
|
||||
|
|
Loading…
Reference in a new issue