fix: implement privilege dropping to run subprocess as original user

blink-so[bot] · f0ssel · blink-so[bot] · commit dcd0450039bf · 2025-09-09T19:34:51.000Z
This is the core fix for sudo environment preservation. Previously, we were
only restoring environment variables but the subprocess was still running
as root. Now we properly drop privileges to the original user.

Changes:
- Linux: Use syscall.Credential to set UID/GID of subprocess
- macOS: Use syscall.Credential to set UID/GID, preserve original group behavior for non-sudo
- Both platforms now check SUDO_USER and drop privileges accordingly
- Added proper error handling and debug logging for privilege dropping

Now 'sudo jail -- whoami' will return the original username instead of 'root'.

Co-authored-by: f0ssel &lt;19379394+f0ssel@users.noreply.github.com&gt;
diff --git a/network/linux.go b/network/linux.go
@@ -110,6 +110,27 @@ func (l *LinuxJail) Execute(command []string, extraEnv map[string]string) error
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
 
+	// Drop privileges to original user if running under sudo
+	if sudoUser := os.Getenv("SUDO_USER"); sudoUser != "" {
+		uid, err := environment.GetEffectiveUID()
+		if err != nil {
+			l.logger.Warn("Failed to get effective UID, subprocess will run as root", "error", err)
+		} else {
+			gid, err := environment.GetEffectiveGID()
+			if err != nil {
+				l.logger.Warn("Failed to get effective GID, subprocess will run as root", "error", err)
+			} else {
+				cmd.SysProcAttr = &syscall.SysProcAttr{
+					Credential: &syscall.Credential{
+						Uid: uint32(uid),
+						Gid: uint32(gid),
+					},
+				}
+				l.logger.Debug("Dropping privileges to original user", "uid", uid, "gid", gid, "user", sudoUser)
+			}
+		}
+	}
+
 	// Start command
 	l.logger.Debug("Starting command", "path", cmd.Path, "args", cmd.Args)
 	err := cmd.Start()
diff --git a/network/macos.go b/network/macos.go
@@ -97,11 +97,33 @@ func (m *MacOSNetJail) Execute(command []string, extraEnv map[string]string) err
 	cmd.Stderr = os.Stderr
 	cmd.Stdin = os.Stdin
 
-	// Set group ID using syscall (like httpjail does)
-	cmd.SysProcAttr = &syscall.SysProcAttr{
-		Credential: &syscall.Credential{
-			Gid: uint32(m.groupID),
-		},
+	// Drop privileges to original user if running under sudo
+	if sudoUser := os.Getenv("SUDO_USER"); sudoUser != "" {
+		uid, err := environment.GetEffectiveUID()
+		if err != nil {
+			m.logger.Warn("Failed to get effective UID, subprocess will run as root", "error", err)
+		} else {
+			gid, err := environment.GetEffectiveGID()
+			if err != nil {
+				m.logger.Warn("Failed to get effective GID, subprocess will run as root", "error", err)
+			} else {
+				// Set group ID using syscall (like httpjail does)
+				cmd.SysProcAttr = &syscall.SysProcAttr{
+					Credential: &syscall.Credential{
+						Uid: uint32(uid),
+						Gid: uint32(gid),
+					},
+				}
+				m.logger.Debug("Dropping privileges to original user", "uid", uid, "gid", gid, "user", sudoUser)
+			}
+		}
+	} else {
+		// Set group ID using syscall (like httpjail does) - original behavior for non-sudo
+		cmd.SysProcAttr = &syscall.SysProcAttr{
+			Credential: &syscall.Credential{
+				Gid: uint32(m.groupID),
+			},
+		}
 	}
 
 	// Start and wait for command to complete
