From 1d20aa7247ece1a08bed7fa4ba5ab6b7c0f332b0 Mon Sep 17 00:00:00 2001 From: Paul Smith <psmith@gnu.org> Date: Sun, 5 Dec 2021 14:22:43 -0500 Subject: [PATCH] [SV 61621] Don't use POSIX_SPAWN_RESETIDS with posix_spawn() When make is invoked in a environment where the user namespace is restricted, such as under unshare(1) (on GNU/Linux), it won't be able to find its real UID so the effective UID can't be set to it and posix_spawn() will fail with EINVAL. It's not less safe to run recipe jobs using the same UID values that make was invoked with, so don't worry about this flag. * src/job.c (child_execute_job): Don't set POSIX_SPAWN_RESETIDS flag. --- src/job.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/job.c b/src/job.c index 54fadf00..9d97fc44 100644 --- a/src/job.c +++ b/src/job.c @@ -2359,8 +2359,8 @@ child_execute_job (struct childbase *child, int good_stdin, char **argv) if ((r = posix_spawn_file_actions_adddup2 (&fa, fderr, FD_STDERR)) != 0) goto cleanup; - /* Be the user, permanently. */ - flags |= POSIX_SPAWN_RESETIDS; + /* We can't use the POSIX_SPAWN_RESETIDS flag: when make is invoked under + restrictive environments like unshare it will fail with EINVAL. */ /* Apply the spawn flags. */ if ((r = posix_spawnattr_setflags (&attr, flags)) != 0)