]> git.ipfire.org Git - thirdparty/mkosi.git/commitdiff
projects / thirdparty / mkosi.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 01ac080)
Use setresuid() and setresgid() 2888/head
authorDaan De Meyer <daan.j.demeyer@gmail.com>
Sun, 21 Jul 2024 20:08:44 +0000 (22:08 +0200)
committerDaan De Meyer <daan.j.demeyer@gmail.com>
Sun, 21 Jul 2024 20:08:44 +0000 (22:08 +0200)
If we're invoked with sudo let's make sure we leak less of the fact
that we're invoked as root into the environment when running sync
scripts.

mkosi/__init__.py patch | blob | blame | history

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 44b66169ed96116609f991ffb502ead42a769835..89eb1abd05c3955f5ce32833314077577f926c45 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -4659,8 +4659,8 @@ def sync_repository_metadata(context: Context) -> None:
 def run_sync(args: Args, config: Config, *, resources: Path) -> None:
     if os.getuid() == 0:
         os.setgroups(INVOKING_USER.extra_groups())
-        os.setgid(INVOKING_USER.gid)
-        os.setuid(INVOKING_USER.uid)
+        os.setresgid(INVOKING_USER.gid, INVOKING_USER.gid, INVOKING_USER.gid)
+        os.setresuid(INVOKING_USER.uid, INVOKING_USER.gid, INVOKING_USER.gid)
 
     if not (p := config.package_cache_dir_or_default()).exists():
         p.mkdir(parents=True, exist_ok=True)
Mirror of https://github.com/systemd/mkosi.git