aboutsummaryrefslogtreecommitdiff
path: root/src/syscall
diff options
context:
space:
mode:
Diffstat (limited to 'src/syscall')
-rw-r--r--src/syscall/exec_bsd.go8
-rw-r--r--src/syscall/exec_linux.go5
-rw-r--r--src/syscall/exec_solaris.go8
-rw-r--r--src/syscall/exec_unix.go7
4 files changed, 15 insertions, 13 deletions
diff --git a/src/syscall/exec_bsd.go b/src/syscall/exec_bsd.go
index 317645fae5..31a4099559 100644
--- a/src/syscall/exec_bsd.go
+++ b/src/syscall/exec_bsd.go
@@ -146,9 +146,11 @@ func forkAndExecInChild(argv0 *byte, argv, envv []*byte, chroot, dir *byte, attr
if ngroups > 0 {
groups = uintptr(unsafe.Pointer(&cred.Groups[0]))
}
- _, _, err1 = RawSyscall(SYS_SETGROUPS, ngroups, groups, 0)
- if err1 != 0 {
- goto childerror
+ if !cred.NoSetGroups {
+ _, _, err1 = RawSyscall(SYS_SETGROUPS, ngroups, groups, 0)
+ if err1 != 0 {
+ goto childerror
+ }
}
_, _, err1 = RawSyscall(SYS_SETGID, uintptr(cred.Gid), 0, 0)
if err1 != 0 {
diff --git a/src/syscall/exec_linux.go b/src/syscall/exec_linux.go
index 979b6a247a..6ad20f6af1 100644
--- a/src/syscall/exec_linux.go
+++ b/src/syscall/exec_linux.go
@@ -210,10 +210,7 @@ func forkAndExecInChild(argv0 *byte, argv, envv []*byte, chroot, dir *byte, attr
if ngroups > 0 {
groups = uintptr(unsafe.Pointer(&cred.Groups[0]))
}
- // Don't call setgroups in case of user namespace, gid mappings
- // and disabled setgroups, because otherwise unprivileged user namespace
- // will fail with any non-empty SysProcAttr.Credential.
- if !(sys.GidMappings != nil && !sys.GidMappingsEnableSetgroups && ngroups == 0) {
+ if !(sys.GidMappings != nil && !sys.GidMappingsEnableSetgroups && ngroups == 0) && !cred.NoSetGroups {
_, _, err1 = RawSyscall(_SYS_setgroups, ngroups, groups, 0)
if err1 != 0 {
goto childerror
diff --git a/src/syscall/exec_solaris.go b/src/syscall/exec_solaris.go
index fcb481c078..abeed56b13 100644
--- a/src/syscall/exec_solaris.go
+++ b/src/syscall/exec_solaris.go
@@ -143,9 +143,11 @@ func forkAndExecInChild(argv0 *byte, argv, envv []*byte, chroot, dir *byte, attr
if ngroups > 0 {
groups = uintptr(unsafe.Pointer(&cred.Groups[0]))
}
- err1 = setgroups1(ngroups, groups)
- if err1 != 0 {
- goto childerror
+ if !cred.NoSetGroups {
+ err1 = setgroups1(ngroups, groups)
+ if err1 != 0 {
+ goto childerror
+ }
}
err1 = setgid(uintptr(cred.Gid))
if err1 != 0 {
diff --git a/src/syscall/exec_unix.go b/src/syscall/exec_unix.go
index af59c5d00a..e4f047f3f4 100644
--- a/src/syscall/exec_unix.go
+++ b/src/syscall/exec_unix.go
@@ -112,9 +112,10 @@ func SetNonblock(fd int, nonblocking bool) (err error) {
// Credential holds user and group identities to be assumed
// by a child process started by StartProcess.
type Credential struct {
- Uid uint32 // User ID.
- Gid uint32 // Group ID.
- Groups []uint32 // Supplementary group IDs.
+ Uid uint32 // User ID.
+ Gid uint32 // Group ID.
+ Groups []uint32 // Supplementary group IDs.
+ NoSetGroups bool // If true, don't set supplementary groups
}
// ProcAttr holds attributes that will be applied to a new process started
generated by cgit v1.3-6-g1900 (git 2.53.0) at 2026-04-17 20:02:39 +0000