From 3426a24929a39da6fb0153dd00c8b9e7010ec53b Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <tstromberg@google.com>
Date: Sat, 28 Mar 2020 12:10:37 -0700
Subject: [PATCH] Add support for impersonating secondary groups

---
 pkg/commands/run.go                  | 38 +++++++++++++++++++++++++---
 vendor/github.com/spf13/afero/go.mod |  2 ++
 2 files changed, 37 insertions(+), 3 deletions(-)

diff --git a/pkg/commands/run.go b/pkg/commands/run.go
index b60f185b3..e4be00df7 100644
--- a/pkg/commands/run.go
+++ b/pkg/commands/run.go
@@ -21,6 +21,7 @@ import (
 	"os"
 	"os/exec"
 	"os/user"
+	"strconv"
 	"strings"
 	"syscall"
 
@@ -79,11 +80,10 @@ func (r *RunCommand) ExecuteCommand(config *v1.Config, buildArgs *dockerfile.Bui
 
 	// If specified, run the command as a specific user
 	if userStr != "" {
-		uid, gid, err := util.GetUIDAndGIDFromString(userStr, true)
+		cmd.SysProcAttr.Credential, err = impersonate(userStr)
 		if err != nil {
-			return err
+			return errors.Wrap(err, "impersonate")
 		}
-		cmd.SysProcAttr.Credential = &syscall.Credential{Uid: uid, Gid: gid}
 	}
 
 	env, err := addDefaultHOME(userStr, replacementEnvs)
@@ -113,6 +113,38 @@ func (r *RunCommand) ExecuteCommand(config *v1.Config, buildArgs *dockerfile.Bui
 	return nil
 }
 
+func impersonate(userStr string) (*syscall.Credential, error) {
+	uid, gid, err := util.GetUIDAndGIDFromString(userStr, true)
+	if err != nil {
+		return nil, errors.Wrap(err, "get uid/gid")
+	}
+
+	u, err := util.Lookup(userStr)
+	if err != nil {
+		return nil, errors.Wrap(err, "lookup")
+	}
+	logrus.Infof("user: %+v", u)
+
+	// Handle the case of secondary groups
+	groups := []uint32{41}
+	gidStr, err := u.GroupIds()
+	logrus.Infof("groupstr: %s", gidStr)
+
+	for _, g := range gidStr {
+		i, err := strconv.ParseUint(g, 10, 32)
+		if err != nil {
+			return nil, errors.Wrap(err, "parseuint")
+		}
+		groups = append(groups, uint32(i))
+	}
+
+	return &syscall.Credential{
+		Uid:    uid,
+		Gid:    gid,
+		Groups: groups,
+	}, nil
+}
+
 // addDefaultHOME adds the default value for HOME if it isn't already set
 func addDefaultHOME(u string, envs []string) ([]string, error) {
 	for _, env := range envs {
diff --git a/vendor/github.com/spf13/afero/go.mod b/vendor/github.com/spf13/afero/go.mod
index 086855099..216979990 100644
--- a/vendor/github.com/spf13/afero/go.mod
+++ b/vendor/github.com/spf13/afero/go.mod
@@ -1,3 +1,5 @@
 module github.com/spf13/afero
 
+go 1.14
+
 require golang.org/x/text v0.3.0