aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEelco Dolstra <edolstra@gmail.com>2022-11-22 09:02:17 +0100
committerEelco Dolstra <edolstra@gmail.com>2022-11-22 10:26:17 +0100
commitb37c2d84b67635fc928ed174166f04d6f4d30c6b (patch)
tree13a8e8fb65b2c4a282a7789fb603a36d22d06535
parentc776dfbb35e961ac3f011ab8665dfc85ab067ef8 (diff)
Always call setgroups()
We shouldn't skip this if the supplementary group list is empty, because then the sandbox won't drop the supplementary groups of the parent (like "root").
-rw-r--r--src/libstore/build/local-derivation-goal.cc5
1 files changed, 2 insertions, 3 deletions
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index b7084384a..232440f74 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -1988,9 +1988,8 @@ void LocalDerivationGoal::runChild()
if (setUser && buildUser) {
/* Preserve supplementary groups of the build user, to allow
admins to specify groups such as "kvm". */
- if (!buildUser->getSupplementaryGIDs().empty() &&
- setgroups(buildUser->getSupplementaryGIDs().size(),
- buildUser->getSupplementaryGIDs().data()) == -1)
+ auto gids = buildUser->getSupplementaryGIDs();
+ if (setgroups(gids.size(), gids.data()) == -1)
throw SysError("cannot set supplementary groups of build user");
if (setgid(buildUser->getGID()) == -1 ||