drivers/exec: run as nobody by default

libcontainer based drivers (e.g. exec, java) should default to running processes as `nobody` [1]; but libcontainer treats empty user as `root` in our case (either because of default or due to `root` being current user). [1] 94c28a4c6c/website/source/docs/job-specification/task.html.md (task-parameters)
2026-01-06 02:15:43 +03:00 · 2019-01-03 12:36:22 -05:00
parent 136e690d3e
commit 41d6635026
2 changed files with 12 additions and 2 deletions
--- a/drivers/java/driver.go
+++ b/drivers/java/driver.go
@@ -328,11 +328,16 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *cstru
 		return nil, nil, fmt.Errorf("failed to create executor: %v", err)
 	}

+	user := cfg.User
+	if user == "" {
+		user = "nobody"
+	}
+
 	execCmd := &executor.ExecCommand{
 		Cmd:            absPath,
 		Args:           args,
 		Env:            cfg.EnvList(),
-		User:           cfg.User,
+		User:           user,
 		ResourceLimits: true,
 		Resources:      cfg.Resources,
 		TaskDir:        cfg.TaskDir().Dir,