Additionally, this updates our in-code check for setuid to also disallow setgid, but the impact of that configuration is lesser (so this is considered a best-effort pre-emptive mitigation -- hopefully the block on setuid has already discouraged users from using gosu in this way).
This allows us to exclude GO-2023-1840 (aka CVE-2023-29403; https://github.com/tianon/gosu/issues/128#issuecomment-1607803883) from our report since we already refuse to operate when users have enabled the
setuidbit on the binary.Additionally, this updates our in-code check for
setuidto also disallowsetgid, but the impact of that configuration is lesser (so this is considered a best-effort pre-emptive mitigation -- hopefully the block onsetuidhas already discouraged users from usinggosuin this way).(This is essentially a workaround for https://github.com/golang/go/issues/59507, which isn't ideal, but it's the best we have for now.)