Hi Ludo, Ludovic Courtès <l...@gnu.org> writes:
[...] >> When using 'make-forkexec-constructor/container', the clone(2) call >> happens before switching user, thus as 'root' in Shepherd, which >> explains why it works. > > Damnit, that’s right. For example the result of: > > (lower-object (least-authority-wrapper (file-append coreutils "/bin/uname") > #:namespaces (delq 'user > %namespaces))) > > won’t run as an unprivileged user: [...] > I think we would add #:user and #:group to ‘least-authority-wrapper’ and > have it call setuid/setgid. ‘make-forkexec-constructor’ doesn’t need to > be modified, but the user simply won’t pass #:user and #:group to it. OK! I'll adjust the jami-service-type when we get around to implement the above; for now I've pushed my proposed fix which still uses 'make-forkexec-constructor/container' as 85b4dabd94d53f8179f31a42046cd83fc3a352fc. Thanks, Maxim
