Fix command exec's WithUid
(RunAsUser) when running as self
#1682
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I've been trying to test my new check that uses the
kolide_brew_upgradeable
table, when I kept hitting an issue in Live Query where all devices returned no results. I could easily get results locally, so I wasn't sure what was going on.After more testing locally, I saw the error
fork/exec /opt/homebrew/bin/brew: operation not permitted
, and after some digging online I came to this post.Basically the syscall
SYS_SETGROUPS
requires elevated permissions, so a non-root user attempting to set the groups causes anEPERM
error. There is a fix inside theCredential
structure:NoSetGroups
, but I figured since we are already running as the user, we can just early exit instead of adding that flag.Outside of this issue, I had thought that the queries in Live Query go through a sudoed instance of launcher, but perhaps I was mistaken on that?