1 回答
TA贡献1847条经验 获得超7个赞
我追踪了源代码cmd.Run(),发现:
type SysProcAttr struct {
UidMappings []SysProcIDMap // User ID mappings for user namespaces.
GidMappings []SysProcIDMap // Group ID mappings for user namespaces.
// GidMappingsEnableSetgroups enabling setgroups syscall.
// If false, then setgroups syscall will be disabled for the child process.
// This parameter is no-op if GidMappings == nil. Otherwise for unprivileged
// users this should be set to false for mappings work.
GidMappingsEnableSetgroups bool
}
因此,如果 的值为默认GidMappingsEnableSetgroups值false,则无论子进程是否具有 root 权限,justiceInit都没有权限使用syscall。setgroups
结果,当我在函数中cmd.SysProcAttr.GidMappingsEnableSetgroups设置如下时,它就起作用了!truemain
cmd.Stdin = os.Stdin
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
cmd.SysProcAttr = &syscall.SysProcAttr{
// ...
GidMappingsEnableSetgroups: true,
}
- 1 回答
- 0 关注
- 112 浏览
添加回答
举报