diff options
author | Eelco Dolstra <edolstra@gmail.com> | 2022-11-22 09:02:17 +0100 |
---|---|---|
committer | Eelco Dolstra <edolstra@gmail.com> | 2022-11-22 10:26:17 +0100 |
commit | b37c2d84b67635fc928ed174166f04d6f4d30c6b (patch) | |
tree | 13a8e8fb65b2c4a282a7789fb603a36d22d06535 | |
parent | c776dfbb35e961ac3f011ab8665dfc85ab067ef8 (diff) |
Always call setgroups()
We shouldn't skip this if the supplementary group list is empty,
because then the sandbox won't drop the supplementary groups of the
parent (like "root").
-rw-r--r-- | src/libstore/build/local-derivation-goal.cc | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc index b7084384a..232440f74 100644 --- a/src/libstore/build/local-derivation-goal.cc +++ b/src/libstore/build/local-derivation-goal.cc @@ -1988,9 +1988,8 @@ void LocalDerivationGoal::runChild() if (setUser && buildUser) { /* Preserve supplementary groups of the build user, to allow admins to specify groups such as "kvm". */ - if (!buildUser->getSupplementaryGIDs().empty() && - setgroups(buildUser->getSupplementaryGIDs().size(), - buildUser->getSupplementaryGIDs().data()) == -1) + auto gids = buildUser->getSupplementaryGIDs(); + if (setgroups(gids.size(), gids.data()) == -1) throw SysError("cannot set supplementary groups of build user"); if (setgid(buildUser->getGID()) == -1 || |