Idea: Make Woodpecker CI pipelines run as the user that triggered it instead of the woodpecker-agent user
Could we put the woodpecker CI agent into a separate mount namespace, and present it with a limited view of users $HOME's, so that it can access their binaries (e.g. Nix stuff or so), but configs…
Idea: Make Woodpecker CI pipelines run as the user that triggered it instead of the woodpecker-agent user
regarding your setuid question: https://www.oreilly.com/library/view/secure-programming-cookbook/0596003943/ch01s03.html (has example C code at the end)