From 79f6a5c7bd684f2e6007ee505b522440beb86bf0 Mon Sep 17 00:00:00 2001 From: Wander Lairson Costa Date: Fri, 10 Feb 2017 04:10:48 -0200 Subject: syscall: only call setgroups if we need to If the caller set ups a Credential in os/exec.Command, os/exec.Command.Start will end up calling setgroups(2), even if no supplementary groups were given. Only root can call setgroups(2) on BSD kernels, which causes Start to fail for non-root users when they try to set uid and gid for the new process. We fix by introducing a new field to syscall.Credential named NoSetGroups, and setgroups(2) is only called if it is false. We make this field with inverted logic to preserve backward compatibility. RELNOTES=yes Change-Id: I3cff1f21c117a1430834f640ef21fd4e87e06804 Reviewed-on: https://go-review.googlesource.com/36697 Reviewed-by: Ian Lance Taylor --- src/syscall/exec_linux.go | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'src/syscall/exec_linux.go') diff --git a/src/syscall/exec_linux.go b/src/syscall/exec_linux.go index 979b6a247a..6ad20f6af1 100644 --- a/src/syscall/exec_linux.go +++ b/src/syscall/exec_linux.go @@ -210,10 +210,7 @@ func forkAndExecInChild(argv0 *byte, argv, envv []*byte, chroot, dir *byte, attr if ngroups > 0 { groups = uintptr(unsafe.Pointer(&cred.Groups[0])) } - // Don't call setgroups in case of user namespace, gid mappings - // and disabled setgroups, because otherwise unprivileged user namespace - // will fail with any non-empty SysProcAttr.Credential. - if !(sys.GidMappings != nil && !sys.GidMappingsEnableSetgroups && ngroups == 0) { + if !(sys.GidMappings != nil && !sys.GidMappingsEnableSetgroups && ngroups == 0) && !cred.NoSetGroups { _, _, err1 = RawSyscall(_SYS_setgroups, ngroups, groups, 0) if err1 != 0 { goto childerror -- cgit v1.3