From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Sun, 21 Jul 2024 20:08:44 +0000 (+0200)
Subject: Use setresuid() and setresgid()
X-Git-Tag: v24~22^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2888%2Fhead;p=thirdparty%2Fmkosi.git

Use setresuid() and setresgid()

If we're invoked with sudo let's make sure we leak less of the fact
that we're invoked as root into the environment when running sync
scripts.
---

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 44b66169e..89eb1abd0 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -4659,8 +4659,8 @@ def sync_repository_metadata(context: Context) -> None:
 def run_sync(args: Args, config: Config, *, resources: Path) -> None:
     if os.getuid() == 0:
         os.setgroups(INVOKING_USER.extra_groups())
-        os.setgid(INVOKING_USER.gid)
-        os.setuid(INVOKING_USER.uid)
+        os.setresgid(INVOKING_USER.gid, INVOKING_USER.gid, INVOKING_USER.gid)
+        os.setresuid(INVOKING_USER.uid, INVOKING_USER.gid, INVOKING_USER.gid)
 
     if not (p := config.package_cache_dir_or_default()).exists():
         p.mkdir(parents=True, exist_ok=True)