From 1d20aa7247ece1a08bed7fa4ba5ab6b7c0f332b0 Mon Sep 17 00:00:00 2001
From: Paul Smith <psmith@gnu.org>
Date: Sun, 5 Dec 2021 14:22:43 -0500
Subject: [PATCH] [SV 61621] Don't use POSIX_SPAWN_RESETIDS with posix_spawn()

When make is invoked in a environment where the user namespace is
restricted, such as under unshare(1) (on GNU/Linux), it won't be able
to find its real UID so the effective UID can't be set to it and
posix_spawn() will fail with EINVAL.

It's not less safe to run recipe jobs using the same UID values that
make was invoked with, so don't worry about this flag.

* src/job.c (child_execute_job): Don't set POSIX_SPAWN_RESETIDS flag.
---
 src/job.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/job.c b/src/job.c
index 54fadf00..9d97fc44 100644
--- a/src/job.c
+++ b/src/job.c
@@ -2359,8 +2359,8 @@ child_execute_job (struct childbase *child, int good_stdin, char **argv)
     if ((r = posix_spawn_file_actions_adddup2 (&fa, fderr, FD_STDERR)) != 0)
       goto cleanup;
 
-  /* Be the user, permanently.  */
-  flags |= POSIX_SPAWN_RESETIDS;
+  /* We can't use the POSIX_SPAWN_RESETIDS flag: when make is invoked under
+     restrictive environments like unshare it will fail with EINVAL.  */
 
   /* Apply the spawn flags.  */
   if ((r = posix_spawnattr_setflags (&attr, flags)) != 0)