aboutsummaryrefslogtreecommitdiff
path: root/src/syscall/exec_linux.go
diff options
context:
space:
mode:
Diffstat (limited to 'src/syscall/exec_linux.go')
-rw-r--r--src/syscall/exec_linux.go10
1 files changed, 8 insertions, 2 deletions
diff --git a/src/syscall/exec_linux.go b/src/syscall/exec_linux.go
index 4b8199a2e5..39764f7076 100644
--- a/src/syscall/exec_linux.go
+++ b/src/syscall/exec_linux.go
@@ -206,9 +206,15 @@ func forkAndExecInChild(argv0 *byte, argv, envv []*byte, chroot, dir *byte, attr
// User and groups
if cred := sys.Credential; cred != nil {
ngroups := uintptr(len(cred.Groups))
+ groups := uintptr(0)
if ngroups > 0 {
- groups := unsafe.Pointer(&cred.Groups[0])
- _, _, err1 = RawSyscall(SYS_SETGROUPS, ngroups, uintptr(groups), 0)
+ groups = uintptr(unsafe.Pointer(&cred.Groups[0]))
+ }
+ // Don't call setgroups in case of user namespace, gid mappings
+ // and disabled setgroups, because otherwise unprivileged user namespace
+ // will fail with any non-empty SysProcAttr.Credential.
+ if !(sys.GidMappings != nil && !sys.GidMappingsEnableSetgroups && ngroups == 0) {
+ _, _, err1 = RawSyscall(SYS_SETGROUPS, ngroups, groups, 0)
if err1 != 0 {
goto childerror
}
generated by cgit v1.3 (git 2.53.0) at 2026-04-15 22:22:29 +0000