From 5b6643b0afd1c4ff8cd952d249ca2c90e15a4253 Mon Sep 17 00:00:00 2001 From: Quantum Date: Wed, 15 Mar 2023 21:28:29 -0400 Subject: [PATCH] Use setpriv instead of runuser to avoid extra process This prevents `runuser` from displaying the judge credentials to everyone on the same machine. --- .docker/entry | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.docker/entry b/.docker/entry index a6e72572c..f6eb04fd2 100755 --- a/.docker/entry +++ b/.docker/entry @@ -11,7 +11,7 @@ cd /judge || exit case "$1" in run) command=(/env/bin/dmoj) ;; cli) command=(/env/bin/dmoj-cli) ;; -test) command=(/env/bin/python3 -- -m dmoj.testsuite testsuite) ;; +test) command=(/env/bin/python3 -m dmoj.testsuite testsuite) ;; *) echo "Invalid command, must be one of [run, cli, test]" 1>&2 exit 1 @@ -19,5 +19,6 @@ test) command=(/env/bin/python3 -- -m dmoj.testsuite testsuite) ;; esac shift +export HOME=~judge . ~judge/.profile -exec runuser -u judge "${command[@]}" -- "$@" +exec setpriv --reuid judge --regid judge --clear-groups "${command[@]}" "$@"