From 1e5f2b8b348c178a0656f9515917223c49d010d3 Mon Sep 17 00:00:00 2001
From: Marius Gavrilescu <marius@ieval.ro>
Date: Tue, 3 Feb 2015 15:40:37 +0200
Subject: [PATCH] Only run "untrusted" programs under sudo

---
 gruntmaster-exec | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gruntmaster-exec b/gruntmaster-exec
index c824b20..25a44d1 100755
--- a/gruntmaster-exec
+++ b/gruntmaster-exec
@@ -45,7 +45,7 @@ GetOptions(
 
 my $killuser = $ENV{GRUNTMASTER_KILL_USER};
 my @sudo;
-@sudo = (shellwords ($ENV{GRUNTMASTER_SUDO}), '--') if $ENV{GRUNTMASTER_SUDO};
+@sudo = (shellwords ($ENV{GRUNTMASTER_SUDO}), '--') if $ENV{GRUNTMASTER_SUDO} && $nobody;
 $mlimit = 1_000_000_000 if @sudo; # sudo wants a lot of address space
 
 my $ret = fork // die 'Cannot fork';
@@ -94,7 +94,8 @@ if ($ret) {
 	setrlimit RLIMIT_NPROC, $nproc, $nproc or die $! if $nobody;
 	POSIX::setgid $nobody ? 65534 : USER;
 	POSIX::setuid $nobody ? 65534 : GROUP;
-	unshift @ARGV, @sudo if $nobody;
+	unshift @ARGV, @sudo;
+	say STDERR "Execing: ", join ' ', map { "'$_'" } @ARGV;
 	exec @ARGV;
 }
 
-- 
2.30.2