Always attempt setgroups but allow failure to be ignored.

author: Ben Radford <benradf@users.noreply.github.com> 2023-07-11 10:44:03 +0100
committer: Ben Radford <benradf@users.noreply.github.com> 2023-07-11 10:44:05 +0100
commit: 07dabcc90ed8f2a2e7b98d858a47de3e75d2c3a2 (patch)
tree: 1aae55a4e70eeafb311141605fcf6a478e620d61 /src/libstore/globals.hh
parent: 25b20b4ad23d05d9a1e9daf105d33b7b68e4435b (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index a19b43086..dbabf116a 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -524,7 +524,7 @@ public:
     Setting<bool> sandboxFallback{this, true, "sandbox-fallback",
         "Whether to disable sandboxing when the kernel doesn't allow it."};
 
-    Setting<bool> dropSupplementaryGroups{this, getuid() == 0, "drop-supplementary-groups",
+    Setting<bool> requireDropSupplementaryGroups{this, true, "require-drop-supplementary-groups",
         R"(
           Whether to drop supplementary groups when building with sandboxing.
           This is normally a good idea if we are root and have the capability to
author	Ben Radford <benradf@users.noreply.github.com>	2023-07-11 10:44:03 +0100
committer	Ben Radford <benradf@users.noreply.github.com>	2023-07-11 10:44:05 +0100
commit	07dabcc90ed8f2a2e7b98d858a47de3e75d2c3a2 (patch)
tree	1aae55a4e70eeafb311141605fcf6a478e620d61 /src/libstore/globals.hh
parent	25b20b4ad23d05d9a1e9daf105d33b7b68e4435b (diff)