From 04b523dc24904504931f55df45b8c5a26017d557 Mon Sep 17 00:00:00 2001
From: Tam Mach <tam.mach@cilium.io>
Date: Mon, 28 Apr 2025 12:45:04 +1000
Subject: [PATCH] starter: Run cilium-envoy with the target uid

Signed-off-by: Tam Mach <tam.mach@cilium.io>
---
 starter/main.cc | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/starter/main.cc b/starter/main.cc
index ed3527152..c24a1cedf 100644
--- a/starter/main.cc
+++ b/starter/main.cc
@@ -20,6 +20,7 @@
 #include <linux/capability.h>
 #include <linux/limits.h>
 #include <linux/prctl.h>
+#include <sys/stat.h>
 
 #include "starter/privileged_service_protocol.h"
 #include "starter/privileged_service_server.h"
@@ -166,6 +167,19 @@ int main(int argc, char** argv) {
     }
 
     envoy_args.push_back(nullptr);
+
+    // Get the file's owner UID
+    struct stat file_stat;
+    if (stat(path, &file_stat) != 0) {
+      perror("stat failed");
+      exit(1);
+    }
+    // Switch to the target user
+    if (setuid(file_stat.st_uid) != 0) {
+      perror("setuid failed");
+      exit(1);
+    }
+
     execv(path, &envoy_args[0]);
     perror("execv");
     exit(1);