Always call setgroups()

We shouldn't skip this if the supplementary group list is empty, because then the sandbox won't drop the supplementary groups of the parent (like "root").
author: Eelco Dolstra <edolstra@gmail.com> 2022-11-22 09:02:17 +0100
committer: Eelco Dolstra <edolstra@gmail.com> 2022-11-22 10:26:17 +0100
commit: b37c2d84b67635fc928ed174166f04d6f4d30c6b (patch)
tree: 13a8e8fb65b2c4a282a7789fb603a36d22d06535 /src/libstore
parent: c776dfbb35e961ac3f011ab8665dfc85ab067ef8 (diff)
1 files changed, 2 insertions, 3 deletions
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index b7084384a..232440f74 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -1988,9 +1988,8 @@ void LocalDerivationGoal::runChild()
         if (setUser && buildUser) {
             /* Preserve supplementary groups of the build user, to allow
                admins to specify groups such as "kvm".  */
-            if (!buildUser->getSupplementaryGIDs().empty() &&
-                setgroups(buildUser->getSupplementaryGIDs().size(),
-                          buildUser->getSupplementaryGIDs().data()) == -1)
+            auto gids = buildUser->getSupplementaryGIDs();
+            if (setgroups(gids.size(), gids.data()) == -1)
                 throw SysError("cannot set supplementary groups of build user");
 
             if (setgid(buildUser->getGID()) == -1 ||
author	Eelco Dolstra <edolstra@gmail.com>	2022-11-22 09:02:17 +0100
committer	Eelco Dolstra <edolstra@gmail.com>	2022-11-22 10:26:17 +0100
commit	b37c2d84b67635fc928ed174166f04d6f4d30c6b (patch)
tree	13a8e8fb65b2c4a282a7789fb603a36d22d06535 /src/libstore
parent	c776dfbb35e961ac3f011ab8665dfc85ab067ef8 (diff)