From: Mike Yuan <me@yhndnzj.com>
Date: Fri, 19 Sep 2025 22:00:14 +0000 (+0200)
Subject: core/exec-invoke: gracefully handle lack of privilege for initgroups() in user mode
X-Git-Tag: v258.2~48
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2c78b439c7767c960f0b18574f641e1fbef6f6d9;p=thirdparty%2Fsystemd.git

core/exec-invoke: gracefully handle lack of privilege for initgroups() in user mode

Otherwise specifying User=SELF also fails because we got
no privilege to call setgroups().

Fixes #39038

(cherry picked from commit c86914667a4ad1debea0cb0cab44df3f10b36dbf)
---

diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c
index 7eb7e624da7..d89e806ac54 100644
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@@ -905,8 +905,16 @@ static int get_supplementary_groups(
         bool keep_groups = false;
         if (user && gid_is_valid(gid) && gid != 0) {
                 /* First step, initialize groups from /etc/groups */
-                if (initgroups(user, gid) < 0)
-                        return -errno;
+                if (initgroups(user, gid) < 0) {
+                        /* If our primary gid is already the one specified in Group= (i.e. we're running in
+                         * user mode), gracefully handle the case where we have no privilege to re-initgroups().
+                         *
+                         * Note that group memberships of the current user might have been modified, but
+                         * the change will only take effect after re-login. It's better to continue on with
+                         * existing credentials rather than erroring out. */
+                        if (!ERRNO_IS_PRIVILEGE(errno) || gid != getgid())
+                                return -errno;
+                }
 
                 keep_groups = true;
         }