diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c index aa3b244195..b748be5085 100644 --- a/src/core/exec-invoke.c +++ b/src/core/exec-invoke.c @@ -904,8 +904,16 @@ static int get_supplementary_groups( bool keep_groups = false; if (user && gid_is_valid(gid) && gid != 0) { /* First step, initialize groups from /etc/groups */ - if (initgroups(user, gid) < 0) - return -errno; + if (initgroups(user, gid) < 0) { + /* If our primary gid is already the one specified in Group= (i.e. we're running in + * user mode), gracefully handle the case where we have no privilege to re-initgroups(). + * + * Note that group memberships of the current user might have been modified, but + * the change will only take effect after re-login. It's better to continue on with + * existing credentials rather than erroring out. */ + if (!ERRNO_IS_PRIVILEGE(errno) || gid != getgid()) + return -errno; + } keep_groups = true; } diff --git a/test/units/TEST-74-AUX-UTILS.run.sh b/test/units/TEST-74-AUX-UTILS.run.sh index f0799f6ca6..2f120638b5 100755 --- a/test/units/TEST-74-AUX-UTILS.run.sh +++ b/test/units/TEST-74-AUX-UTILS.run.sh @@ -81,6 +81,11 @@ systemd-run --wait --pipe --user --machine=testuser@ \ systemd-run --wait --pipe --user --machine=testuser@ \ bash -xec '[[ "$PWD" == /home/testuser && -n "$INVOCATION_ID" ]]' +# https://github.com/systemd/systemd/issues/39038 +systemd-run --wait --machine=testuser@ --user -p User=testuser true +systemd-run --wait --machine=testuser@ --user -p Group=testuser true +(! systemd-run --wait --machine=testuser@ --user -p Group=testuser -p SupplementaryGroups=root true) + # PrivateTmp=yes implies PrivateUsers=yes for user manager, so skip this if we # don't have unprivileged user namespaces. if [[ "$(sysctl -ne kernel.apparmor_restrict_unprivileged_userns)" -ne 1 ]]; then