From: Filip Schauer <f.schauer@proxmox.com>
Date: Mon, 15 Dec 2025 15:03:43 +0000 (+0100)
Subject: start: Respect lxc.init.groups also in new user namespace
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9e6caeabec77471c46a629ad5a5a6586ff31e9ce;p=thirdparty%2Flxc.git

start: Respect lxc.init.groups also in new user namespace

Fix supplementary groups defined in 'lxc.init.groups' being ignored when
the container uses a new user namespace.

In other words: Fix lxc.init.groups for unprivileged containers.

Signed-off-by: Filip Schauer <f.schauer@proxmox.com>
---

diff --git a/src/lxc/start.c b/src/lxc/start.c
index 4927faf95..b5ca683db 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1603,17 +1603,19 @@ static int do_start(void *data)
 		if (lxc_proc_cap_is_set(CAP_SETGID, CAP_EFFECTIVE))
 		#endif
 		{
-			if (handler->conf->init_groups.size > 0) {
-				if (!lxc_setgroups(handler->conf->init_groups.list,
-						   handler->conf->init_groups.size))
-					goto out_warn_father;
-			} else {
+			if (handler->conf->init_groups.size == 0) {
 				if (!lxc_drop_groups())
 					goto out_warn_father;
 			}
 		}
 	}
 
+	if (handler->conf->init_groups.size > 0) {
+		if (!lxc_setgroups(handler->conf->init_groups.list,
+				   handler->conf->init_groups.size))
+			goto out_warn_father;
+	}
+
 	if (!lxc_switch_uid_gid(new_uid, new_gid))
 		goto out_warn_father;