Do not ignore EPERM when dropping supplementary groups

As per rust-lang#121650 (comment)
GrigorenkoPV · Feb 29, 2024 · b4a4ab4 · b4a4ab4
1 parent 3a6af84
commit b4a4ab4
Showing 1 changed file with 3 additions and 11 deletions.
diff --git a/library/std/src/sys/pal/unix/process/process_unix.rs b/library/std/src/sys/pal/unix/process/process_unix.rs
@@ -330,22 +330,14 @@ impl Command {
             if let Some(u) = self.get_uid() {
                 // When dropping privileges from root, the `setgroups` call
                 // will remove any extraneous groups. We only drop groups
-                // if we have CAP_SETGID and we weren't given an explicit
-                // set of groups. If we don't call this, then even though our
+                // if we weren't given an explicit set of groups.
+                // If we don't call this, then even though our
                 // uid has dropped, we may still have groups that enable us to
                 // do super-user things.
                 //FIXME: Redox kernel does not support setgroups yet
                 #[cfg(not(target_os = "redox"))]
                 if self.get_groups().is_none() {
-                    let res = cvt(libc::setgroups(0, crate::ptr::null()));
-                    if let Err(e) = res {
-                        // Here we ignore the case of not having CAP_SETGID.
-                        // An alternative would be to require CAP_SETGID (in
-                        // addition to CAP_SETUID) for setting the UID.
-                        if e.raw_os_error() != Some(libc::EPERM) {
-                            return Err(e.into());
-                        }
-                    }
+                    cvt(libc::setgroups(0, crate::ptr::null()))?;
                 }
                 cvt(libc::setuid(u as uid_t))?;
             }