The original thrust of the MEP work was that it was strictly for administrators. After we realized that normal users would want templating as well, we updated the logic to be flexible by allowing initgroups to fail but still proceed to start the UEP. But then we also included a check to only attempt to change the UID if it needed changing ... in practice, then, this should never fail because if os.getuid() != new_uid then the os.getuid() has the necessary privileges.
However, initgroups() is not a fungible action when changing the process persona, so take out the ambiguity by just letting it fail if [something happens].
In the same vein, implement a "paranoia" check that ensures that we can't get back the privileges. If the kernel doesn't have our back, then we bail out right away.
The original thrust of the MEP work was that it was strictly for administrators. After we realized that normal users would want templating as well, we updated the logic to be flexible by allowing
initgroupsto fail but still proceed to start the UEP. But then we also included a check to only attempt to change the UID if it needed changing ... in practice, then, this should never fail because ifos.getuid() != new_uidthen theos.getuid()has the necessary privileges.However,
initgroups()is not a fungible action when changing the process persona, so take out the ambiguity by just letting it fail if [something happens].In the same vein, implement a "paranoia" check that ensures that we can't get back the privileges. If the kernel doesn't have our back, then we bail out right away.
[sc-36722]
Type of change