From c63ec60cc4cf87089bc4316f3a7bb1a9fd1a1a34 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Sun, 21 Jul 2024 22:08:44 +0200
Subject: [PATCH] Use setresuid() and setresgid()

If we're invoked with sudo let's make sure we leak less of the fact
that we're invoked as root into the environment when running sync
scripts.
---
 mkosi/__init__.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 44b66169e..89eb1abd0 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -4659,8 +4659,8 @@ def sync_repository_metadata(context: Context) -> None:
 def run_sync(args: Args, config: Config, *, resources: Path) -> None:
     if os.getuid() == 0:
         os.setgroups(INVOKING_USER.extra_groups())
-        os.setgid(INVOKING_USER.gid)
-        os.setuid(INVOKING_USER.uid)
+        os.setresgid(INVOKING_USER.gid, INVOKING_USER.gid, INVOKING_USER.gid)
+        os.setresuid(INVOKING_USER.uid, INVOKING_USER.gid, INVOKING_USER.gid)
 
     if not (p := config.package_cache_dir_or_default()).exists():
         p.mkdir(parents=True, exist_ok=True)
-- 
2.47.2