nspawn: reset supplementary and main group id before entering nspawn

[elogind.git] / src / nspawn / nspawn.c

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 244ebb83425faa00010c2cb104fe80c965284ca1..59171abff3cdb6c2e14ffbf50d9fb372baed362e 100644 (file)
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -1327,6 +1327,23 @@ int main(int argc, char *argv[]) {
                                         log_error("setreuid() failed: %m");
                                         goto child_fail;
                                 }
+                        } else {
+                                /* Reset everything fully to 0, just in case */
+
+                                if (setgroups(0, NULL) < 0) {
+                                        log_error("setgroups() failed: %m");
+                                        goto child_fail;
+                                }
+
+                                if (setresgid(0, 0, 0) < 0) {
+                                        log_error("setregid() failed: %m");
+                                        goto child_fail;
+                                }
+
+                                if (setresuid(0, 0, 0) < 0) {
+                                        log_error("setreuid() failed: %m");
+                                        goto child_fail;
+                                }
                         }
 
                         if ((asprintf((char**)(envp + 3), "HOME=%s", home ? home: "/root") < 0) ||