From: Daan De Meyer Date: Mon, 7 Aug 2023 10:53:32 +0000 (+0200) Subject: Don't drop privileges when running qemu and invoked as root X-Git-Tag: v15~23^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c682fc4630dc44f611e00ade7983ff32a6aa3782;p=thirdparty%2Fmkosi.git Don't drop privileges when running qemu and invoked as root Depending on the environment and what options are used, running qemu might require root privileges. So if we're invoked as root and we're going to run qemu, let's not drop privileges. --- diff --git a/mkosi/__init__.py b/mkosi/__init__.py index 423665780..006efbd47 100644 --- a/mkosi/__init__.py +++ b/mkosi/__init__.py @@ -1719,6 +1719,7 @@ def run_verb(args: MkosiArgs, presets: Sequence[MkosiConfig]) -> None: for config in presets: try_import(f"mkosi.distributions.{config.distribution}") + invoked_as_root = os.getuid() == 0 name = InvokingUser.name() # Get the user UID/GID either on the host or in the user namespace running the build @@ -1786,8 +1787,10 @@ def run_verb(args: MkosiArgs, presets: Sequence[MkosiConfig]) -> None: with mount_usr(last.tools_tree, umount=False), mount_passwd(name, uid, gid, umount=False): # After mounting the last tools tree, if we're not going to execute systemd-nspawn, we don't need to - # be (fake) root anymore, so switch user to the invoking user. - if args.verb not in (Verb.shell, Verb.boot): + # be (fake) root anymore, so switch user to the invoking user. If we're going to invoke qemu and + # mkosi was executed as root, we also don't drop privileges as depending on the environment and + # options passed, running qemu might need root privileges as well. + if not args.verb.needs_root() and (args.verb != Verb.qemu or not invoked_as_root): os.setresgid(gid, gid, gid) os.setresuid(uid, uid, uid)