fix: drop privileges to original user when running with sudo

When jail is executed with sudo, the subprocess now runs as the original
user instead of root. This is a minimal implementation that only handles
privilege dropping without environment manipulation.

Changes:
- Linux: Check SUDO_UID/SUDO_GID and use syscall.Credential to drop privileges
- macOS: Same privilege dropping logic, preserve original group behavior for non-sudo
- Added proper error handling and debug logging

Now 'sudo jail -- whoami' returns the original username instead of 'root'.

Co-authored-by: f0ssel <[email protected]>

Author: blink-so[bot]

network/linux.go

@@ -7,6 +7,7 @@ import (
 	"log/slog"
 	"os"
 	"os/exec"
+	"strconv"
 	"syscall"
 	"time"
 )
@@ -102,6 +103,29 @@ func (l *LinuxJail) Execute(command []string, extraEnv map[string]string) error
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
 
+	// Drop privileges to original user if running under sudo
+	if sudoUID := os.Getenv("SUDO_UID"); sudoUID != "" {
+		if sudoGID := os.Getenv("SUDO_GID"); sudoGID != "" {
+			uid, err := strconv.Atoi(sudoUID)
+			if err != nil {
+				l.logger.Warn("Invalid SUDO_UID, subprocess will run as root", "sudo_uid", sudoUID, "error", err)
+			} else {
+				gid, err := strconv.Atoi(sudoGID)
+				if err != nil {
+					l.logger.Warn("Invalid SUDO_GID, subprocess will run as root", "sudo_gid", sudoGID, "error", err)
+				} else {
+					cmd.SysProcAttr = &syscall.SysProcAttr{
+						Credential: &syscall.Credential{
+							Uid: uint32(uid),
+							Gid: uint32(gid),
+						},
+					}
+					l.logger.Debug("Dropping privileges to original user", "uid", uid, "gid", gid)
+				}
+			}
+		}
+	}
+
 	// Start command
 	l.logger.Debug("Starting command", "path", cmd.Path, "args", cmd.Args)
 	err := cmd.Start()

network/macos.go

@@ -89,11 +89,34 @@ func (m *MacOSNetJail) Execute(command []string, extraEnv map[string]string) err
 	cmd.Stderr = os.Stderr
 	cmd.Stdin = os.Stdin
 
-	// Set group ID using syscall (like httpjail does)
-	cmd.SysProcAttr = &syscall.SysProcAttr{
-		Credential: &syscall.Credential{
-			Gid: uint32(m.groupID),
-		},
+	// Drop privileges to original user if running under sudo
+	if sudoUID := os.Getenv("SUDO_UID"); sudoUID != "" {
+		if sudoGID := os.Getenv("SUDO_GID"); sudoGID != "" {
+			uid, err := strconv.Atoi(sudoUID)
+			if err != nil {
+				m.logger.Warn("Invalid SUDO_UID, subprocess will run as root", "sudo_uid", sudoUID, "error", err)
+			} else {
+				gid, err := strconv.Atoi(sudoGID)
+				if err != nil {
+					m.logger.Warn("Invalid SUDO_GID, subprocess will run as root", "sudo_gid", sudoGID, "error", err)
+				} else {
+					cmd.SysProcAttr = &syscall.SysProcAttr{
+						Credential: &syscall.Credential{
+							Uid: uint32(uid),
+							Gid: uint32(gid),
+						},
+					}
+					m.logger.Debug("Dropping privileges to original user", "uid", uid, "gid", gid)
+				}
+			}
+		}
+	} else {
+		// Set group ID using syscall (original behavior for non-sudo)
+		cmd.SysProcAttr = &syscall.SysProcAttr{
+			Credential: &syscall.Credential{
+				Gid: uint32(m.groupID),
+			},
+		}
 	}
 
 	// Start and wait for command to complete
@@ -334,4 +357,4 @@ func (m *MacOSNetJail) cleanupTempFiles() {
 	if m.mainRulesPath != "" {
 		os.Remove(m.mainRulesPath)
 	}
-}
+}