From 56202f2b1412acce2ee5bd6763c326d723a76186 Mon Sep 17 00:00:00 2001 From: Jared Meit Date: Thu, 5 Oct 2017 18:33:11 -0400 Subject: [PATCH 1/2] Allow mixing of args uid and gid Reversed the order of setting uid and gid. When uid is set first, the process doesn't have permission to set the gid. So they've been swapped. --- lib/ProcessContainerFork.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/ProcessContainerFork.js b/lib/ProcessContainerFork.js index fdcd12e64..935654b82 100644 --- a/lib/ProcessContainerFork.js +++ b/lib/ProcessContainerFork.js @@ -52,10 +52,10 @@ if (process.connected && // uid/gid management if (process.env.uid || process.env.gid) { try { - if (process.env.uid) - process.setuid(process.env.uid); if (process.env.gid) process.setgid(process.env.gid); + if (process.env.uid) + process.setuid(process.env.uid); } catch(e) { setTimeout(function() { console.error('%s on call %s', e.message, e.syscall); From 0bd6aa3d10fafbe1caf6e58b8e238c777d21b794 Mon Sep 17 00:00:00 2001 From: Jared Meit Date: Mon, 9 Oct 2017 18:19:39 -0400 Subject: [PATCH 2/2] Give the user all of its group's rights When using the option `--uid ` the process now runs with all of that user's permissions, including its groups. --- lib/ProcessContainerFork.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/ProcessContainerFork.js b/lib/ProcessContainerFork.js index 935654b82..7a68aece7 100644 --- a/lib/ProcessContainerFork.js +++ b/lib/ProcessContainerFork.js @@ -54,8 +54,11 @@ if (process.env.uid || process.env.gid) { try { if (process.env.gid) process.setgid(process.env.gid); - if (process.env.uid) + if (process.env.uid){ + process.initgid(process.env.uid, process.env.uid); + process.setgid(process.env.uid); process.setuid(process.env.uid); + } } catch(e) { setTimeout(function() { console.error('%s on call %s', e.message, e.syscall);