Adjust SetupUser to Fchown all open file descriptors so they're appro…

…priately usable by the forked process

fds.go

@@ -0,0 +1,29 @@
+package main
+
+import (
+	"io/ioutil"
+	"strconv"
+	"syscall"
+)
+
+func chownFds(uid, gid int) error {
+	fdList, err := ioutil.ReadDir("/proc/self/fd")
+	if err != nil {
+		return err
+	}
+	for _, fi := range fdList {
+		fd, err := strconv.Atoi(fi.Name())
+		if err != nil {
+			// ignore non-numeric file names
+			continue
+		}
+
+		if err = syscall.Fchown(fd, uid, gid); err != nil {
+			// "bad file descriptor" probably just means it no longer exists since we did "readdir", so ignore that
+			if err != syscall.EBADF {
+				return err
+			}
+		}
+	}
+	return nil
+}

setup-user.go

@@ -32,6 +32,9 @@ func SetupUser(u string) error {
 	if err != nil {
 		return fmt.Errorf("get supplementary groups %s", err)
 	}
+	if err := chownFds(execUser.Uid, execUser.Gid); err != nil {
+		return fmt.Errorf("fchown fds %s", err)
+	}
 	if err := syscall.Setgroups(execUser.Sgids); err != nil {
 		return fmt.Errorf("setgroups %s", err)
 	}