From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Thu, 30 Oct 2025 22:35:07 +0000 (+0100)
Subject: nspawn/vmspawn: Add --bind-user-group=wheel
X-Git-Tag: v26~21^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4a98df93bbfee46cb06e51f54a0efb8e8d4ee23a;p=thirdparty%2Fmkosi.git

nspawn/vmspawn: Add --bind-user-group=wheel

We want bound users to be able to elevate privileges inside the
container.
---

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index a7be4899a..a5d11d2f7 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -4270,7 +4270,7 @@ def run_shell(args: Args, config: Config) -> None:
             cmdline += ["--bind", f"{tree.source}:{target}:norbind,{uidmap}"]
 
         if config.bind_user:
-            cmdline += ["--bind-user", getpass.getuser()]
+            cmdline += ["--bind-user", getpass.getuser(), "--bind-user-group=wheel"]
 
         if args.verb == Verb.boot and config.forward_journal:
             with socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) as sock:
diff --git a/mkosi/vmspawn.py b/mkosi/vmspawn.py
index edb86fd7d..565b696ed 100644
--- a/mkosi/vmspawn.py
+++ b/mkosi/vmspawn.py
@@ -64,7 +64,7 @@ def run_vmspawn(args: Args, config: Config) -> None:
         cmdline += ["--grow-image", str(config.runtime_size)]
 
     if config.bind_user:
-        cmdline += ["--bind-user", getpass.getuser()]
+        cmdline += ["--bind-user", getpass.getuser(), "--bind-user-group=wheel"]
 
     if config.runtime_network == Network.user:
         cmdline += ["--network-user-mode"]