From ea727dff9e7dce1b24f2d493cf3ab4911cd50cb3 Mon Sep 17 00:00:00 2001
From: Seth Hoenig <shoenig@duck.com>
Date: Thu, 16 Mar 2023 11:31:18 -0500
Subject: [PATCH] artifact: do not set process attributes on darwin (#16511)

This PR fixes the non-root macOS use case where artifact downloads
stopped working. It seems setting a Credential on a SysProcAttr
used by the exec package will always cause fork/exec to fail -
even if the credential contains our own UID/GID or nil UID/GID.

Technically we do not need to set this as the child process will
inherit the parent UID/GID anyway... and not setting it makes
things work again ... /shrug
---
 .../taskrunner/getter/util_default.go         | 27 +++++++------------
 .../taskrunner/getter/util_windows.go         |  8 +++---
 2 files changed, 13 insertions(+), 22 deletions(-)

diff --git a/client/allocrunner/taskrunner/getter/util_default.go b/client/allocrunner/taskrunner/getter/util_default.go
index 2c738e62e..c32effcad 100644
--- a/client/allocrunner/taskrunner/getter/util_default.go
+++ b/client/allocrunner/taskrunner/getter/util_default.go
@@ -7,23 +7,19 @@ import (
 	"syscall"
 )
 
-// attributes returns the system process attributes to run
-// the sandbox process with
+// attributes is not implemented by default
 func attributes() *syscall.SysProcAttr {
-	uid, gid := credentials()
-	return &syscall.SysProcAttr{
-		Credential: &syscall.Credential{
-			Uid: uid,
-			Gid: gid,
-		},
-	}
+	return nil
 }
 
-// credentials returns the credentials of the user Nomad is running as
+// credentials is not implemented by default
 func credentials() (uint32, uint32) {
-	uid := syscall.Getuid()
-	gid := syscall.Getgid()
-	return uint32(uid), uint32(gid)
+	return 0, 0
+}
+
+// lockdown is not implemented by default
+func lockdown(string, string) error {
+	return nil
 }
 
 // defaultEnvironment is the default minimal environment variables for Unix-like
@@ -35,8 +31,3 @@ func defaultEnvironment(taskDir string) map[string]string {
 		"TMPDIR": tmpDir,
 	}
 }
-
-// lockdown applies only to Linux
-func lockdown(string, string) error {
-	return nil
-}
diff --git a/client/allocrunner/taskrunner/getter/util_windows.go b/client/allocrunner/taskrunner/getter/util_windows.go
index 639b24b45..b78cc9117 100644
--- a/client/allocrunner/taskrunner/getter/util_windows.go
+++ b/client/allocrunner/taskrunner/getter/util_windows.go
@@ -8,17 +8,17 @@ import (
 	"syscall"
 )
 
-// attributes returns the system process attributes to run
-// the sandbox process with
+// attributes is not implemented on Windows
 func attributes() *syscall.SysProcAttr {
-	return &syscall.SysProcAttr{}
+	return nil
 }
 
+// credentials is not implemented on Windows
 func credentials() (uint32, uint32) {
 	return 0, 0
 }
 
-// lockdown has no effect on windows
+// lockdown is not implemented on Windows
 func lockdown(string, string) error {
 	return nil
 }