feat(unstable): allow specifing gid and uid for subprocess (#11586)

2 files changed, 24 insertions, 0 deletions

diff --git a/runtime/js/40_process.js b/runtime/js/40_process.js
index 543c53c27..782dfe476 100644
--- a/runtime/js/40_process.js
+++ b/runtime/js/40_process.js
@@ -102,6 +102,8 @@
     cwd = undefined,
     clearEnv = false,
     env = {},
+    gid = undefined,
+    uid = undefined,
     stdout = "inherit",
     stderr = "inherit",
     stdin = "inherit",
@@ -114,6 +116,8 @@
       cwd,
       clearEnv,
       env: ObjectEntries(env),
+      gid,
+      uid,
       stdin: isRid(stdin) ? "" : stdin,
       stdout: isRid(stdout) ? "" : stdout,
       stderr: isRid(stderr) ? "" : stderr,
diff --git a/runtime/ops/process.rs b/runtime/ops/process.rs
index b47492e58..e40a15b4b 100644
--- a/runtime/ops/process.rs
+++ b/runtime/ops/process.rs
@@ -63,6 +63,8 @@ pub struct RunArgs {
   cwd: Option<String>,
   clear_env: bool,
   env: Vec<(String, String)>,
+  gid: Option<u32>,
+  uid: Option<u32>,
   stdin: String,
   stdout: String,
   stderr: String,
@@ -123,6 +125,24 @@ fn op_run(
     c.env(key, value);
   }
 
+  #[cfg(unix)]
+  if let Some(gid) = run_args.gid {
+    super::check_unstable(state, "Deno.run.gid");
+    c.gid(gid);
+  }
+  #[cfg(unix)]
+  if let Some(uid) = run_args.uid {
+    super::check_unstable(state, "Deno.run.uid");
+    c.uid(uid);
+  }
+  #[cfg(unix)]
+  unsafe {
+    c.pre_exec(|| {
+      libc::setgroups(0, std::ptr::null());
+      Ok(())
+    });
+  }
+
   // TODO: make this work with other resources, eg. sockets
   if !run_args.stdin.is_empty() {
     c.stdin(subprocess_stdio_map(run_args.stdin.as_ref())?);